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FO.REWO RD 


This report covers the work conducted under NASA Contract 
Number NAS 1-12956^ "Preliminary System Design Study For A 
Digital Fly-By-Wire Flight Control System For An F-8C Aircraft" , 
The program was administered under the direction of the Flight 
Dynamics and Control Division of NASA - Langley Research Center. 

The report covers work performed between February 1974 and 
August 1974 by the Government and Aeronautical Products Division 
of Honeywell Inc. under the direction of Charles L. Seacord. The 
principal contributors were Russell Hendricks, Larry Jack, Virgil 
Norquist, Charles Seacord and Darrel Vaughn. Mr. Robert Rasmussen 
of Tri-Tec Associates contributed in the area of actuators and 
hydraulics , 
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EXECUTIVE PROGRAM SYNOPSIS 


BACKGROUND 


NASA is currently engaged in a flight test program to 
explore the potential of Digital Fly-By-Wire Flight Control 
Systems. The NASA Flight Research Center has responsibility for 
the program and is supported by the NASA Langley Research Center 
in the area of flight control software and hardware functional 
design. 

The Phase I portion of the program demonstrated fly-by-wire 
flight using a F-8C aircraft modified by replacing the mechanical 
flight control system with a completely fly-by-wire system which 
utilized an Apollo computer and inertial measurement unit, to- 
gether with specially designed actuators and interface electronics. 

The performance of the digital fly-by-wire (DFBW) system 
in Phase I, although adequate for an initial investigation, was 
limited by the basic characteristics of the Apollo equipment, 
particularly in regard to output granularity. The original 
Phase Ila program plan called for improving the sensor/digital 
electronics by replacing the Apollo equipment with dual state- 
of-the-art flight control sensors, and by using dual IBM AP-101 
digital computers. The analog backup control system was to be 
retained. 

In Phase Ilb, it was intended to convert the sensors and 
the digital electronics to a completely fail-operational config- 
uration with high mission reliability, and remove the analog 
backup. The current study was intended to provide suitable 
conceptual designs for the Phase lib fail-operational DFBW 
system. 

Soon after the initiation of the study efforts, NASA 
reoriented the F-8C DFBW program. First it was established that 
the Phase lib DFBW system should be configured to support devel- 
opment of the Space Shuttle flight control system as much as 
practicable, then a further decision was made to combine Phase 
Ila and Phase lib in the interests of economy and schedule. 

Finally, it was decided to retain the analog backup system in 
the interest of maximizing flight safety. 
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PURPOSE AND SCOPE OF STUDY 


The purpose of the s\ibject study was to perform a prelim- 
inary design study which would define DFBW systems suitable 
for the last phase of the F-8C DFBW program. Further, particu- 
lar attention was to be given to improving the secondary actua- 
tors used in the Phase I program. The results of this study 
were oariginally intended to be used as a basis for preparing 
procurement specifications, which would define the modifica- 
tions, or new equipment, necessary to convert the dual fail-safe 
Phase Ila system into a fail-operational Phase Ilb system. 

Because of the reorientation of the program, study results 
are less detailed than originally envisioned, but instead cover 
design concepts for several systems which would be applicable 
nqt only to the specific F-8C program but to the development of 
F]8W systems for transport aircraft in general . 

In the study, as reoriented, several configurations, either 
specifically tailored to the F-8C program or applicable to 
transport use, were compared in a tradeoff matrix with regard 
to mission reliability, applicability to the Shuttle flight 
control system development, and other features. The configura- 
tions considered were primarily those which could be based on 
equipment planned for Phase Ila and meet the space and power 
limitations of the F-8C airplane. However, for the sake of 
generality, some configurations exceeding the airplane limits 
were included. 

The secondary actuator performance improvement, because of 
the emphasis placed on it, was treated somewhat separately from 
the study of the sensor/computer combination, but in a way that 
makes the actuator recommendations suitable for all configura- 
tions studied. 


METHODS OF APPROACH 


Wherever possible, applicable information from other recent 
or current work was used in order to maximize the effort on the 
problem at hand. Visits were made to all agencies concerned 
with the development of flight controls for both the NASA F-8C 
airplane and the Space Shuttle. Data from various other NASA- 
funded studies and in-house work were used, particularly in 
regard to actuator performance, both measured and required. 
Analytical techniques employed for reliability prediction are 
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those currently being used in the design of advanced digital 
redundant flight control systems. 


CONFIGURATIONS STUDIED 


A very simplified analysis was made of a nxamber of possible 
configurations; from this survey four basic configurations - 
two triple and two quadruple, each with and without a data bus, 
were selected for the more detailed tradeoff comparison. " 
Simplified block diagrams of these are shown in Figure I. 


RESULTS AND CONCLUSIONS 


In addition to the basic tradeoff comparison of configura- 
tions, the report contains the results of limited studies of 
specific technical aspects such as actuator hysteresis, effect 
of self-check on failure probability, and the application of 
data buses to redundant systems. In this synopsis, however, for 
brevity the results are limited to the tradeoff matrix and the 
major conclusions which can be drawn from the tradeoff plus the 
individual studies. • , 

The tradeoff comparison is shown in the table below. It can 
be seen that the two triple -channel configurations are quite close 
and that indeed a slight change in the evaluation or weighting 
of either the cost or applicability-to-Shuttle factors could 
reverse the result. Either configuration would be quite satis- 
factory for the basic research purpose of the F-8C DFBW program. 

In regard to Shuttle applicability, the tradeoff becomes the 


CONFIGURATION TRADEOFF 


Candidate 

Configuration 

Cost 

Re j.i ability 

Maintainability 

Application 
to Shuttle 

Total 

Rating 

Improved research 
vehicle configuration 

10 

8.0 

2.5 

6 

26.5 

Triple-channel data 
bus Shuttle 
configuration 

7.2 

8.25 

1.94 

9 

26.39 

Quadruple-channel 
commercial transport 
configuration 

5.85 

10.0 

2.25 

5 

23.1 

Quadruple-channel 
data bus Shuttle 
configuration 

4.46 

10.0 

1.51 

10 

25.97 
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TRIPLE REDUNDANT RESEARCH VEHICLE IMPROVED CONFIGURATION 



QUADRUPLE REDUNDANT TRANSPORT CONFIGURATION 



TRIPLE REDUNDANT SHUTTLE CONFIGURATION 



QUADRUPLE DATA BUS & COMPUTER SHUTTLE CONFIGURATION 
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Figure I. 


Basic Configurations Studied 
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importance of estimated cost versus an informed opinion on the 
relevance of the two configurations to the Shuttle flight 
control system development. Such a final choice is clearly 
beyond the scope of this study, but comments on "Shuttle appli- 
cability" are offered in the following conclusions. 

1) For the purposes of the NASA F-8C DFBW program, a 
triple configuration with a high degree of self-check 
capability would seem most suitable. The use of self- 
check is considered important because the effective- 
ness of this feature in decreasing failure probability 
without completely duplicating computers - will cause 
it to be used extensively in future systems . In this 
particular case the exact amount of self-check (and 
decrease in failure probability) capability is not 
critical because of the presence of a backup control 
system and the experimental nature of the program. 

The data of Figures II through V show clearly that 
the inclusion of the backup will lower the failure 
probability to a satisfactory level for all cases. 
Further, in a test program the flight can be aborted 
at the first failure indication and thus essentially 
preclude occurrence of additional failures. 

2) The secondary actuator hysteresis must be decreased to 
below 0.1° surface motion in the primary digital mode 
in order for the F-8C DFBW system to be effective in 
advanced control law research. The basic reason for 
excessive actuator hysteresis in the Phase I config- 
uration is the inadequate ratio of force gain to 
static friction. This ratio can be improved by 
replacing the electrohydraulic valves and modifying 
the drive electronics. The addition of in-line servo 
loop monitoring, suitably used, would provide two 
fail-op servo characteristics and prevent the servo 
area from being the limiting factor in reducing sys- 
tem failure probability. The suggested servo modi- 
fications would also increase servo bandwidth which 

in turn would improve overall performance in advanced 
control law research. 

3) The configuration considered to be most effective for 
aiding the Shuttle flight control development is that 
labeled "Triple- Redundant Shuttle". (Obviously, the 
"Quadruple Redundant Shuttle" configuration would more 
closely resemble the actual Shuttle arrangement, but 
cost and installation factors preclude its use for the 
F-8C program.) This triple configuration with the 
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COMPARISION MONITORING - 
DIGITAL 



Figure II. Reliability Improvement Improved 
Research Vehicle Configuration 



Figure III. Reliability Improvement Space 

Shuttle Triple-Channel Data Bus 
Configuration 


X 







Figure IV. Reliability Improvement Commercial Transport 

and Space Shuttle Quadruple Data Bus Configuration 



Figure V. Range of Probability of Success 











actual MDM and simulated (in hardware) bus interface 
electronics would provide valuable experience in the 
use of data buses for flight control signal trans- 
mission and would represent fairly well the Shuttle 
flight control system (PCS) as it will be configured 
after one failure. If the sensor /computer/servo 
buses are not used, the input/output (I/O) processing 
(whether in the AP-101 or in interface units) will be 
significantly different from that of the actual 
Shuttle flight control system. This means that the 
housekeeping routines will be different from that of 
the actual Shuttle system, and thus, little of the 
experience will be directly applicable. On the other 
hand, computer synchronization methods, sensor/servo 
failure detection programs and computer self-check 
routines could be evaluated with a non-data bus 
system, depending on the degree to which actual 
Shuttle software can be used. Overall, it would seem 
that, inasmuch as the major new area in the Shuttle 
PCS design is the very sophisticated data bus con- 
figuration, a data bus system would be desirable, 
if at all feasible, in terms of program cost and 
schedule . 
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PRELIMINARY SYSTEM DESIGN STUDY 
FOR A DIGITAL FLY-BY-WIRE FLIGHT 
CONTROL SYSTEM FOR AN F-8C AIRCRAFT 

By 

C.L. Seacord and D.K. Vaughn 


SECTION 1 
SUMMARY 


The objective of the F-8C Digital Fly-By-Wire (DFBW) Con- 
trol System study was to develop conceptual design (s) of one or 
more configurations of highly reliable digital flight control 
systems for application to the last phase of the NASA F-8C DFBW 
research program. Reconfigurable computer techniques, as de- 
veloped in another NASA-funded study, were to be used where 
applicable . 

The primary quantitative design objective was the attain- 

ment of a mission failure probability of less than 1.0 x 10 
failures per flight hour for the complete DFBW control system. 
Emphasis was also placed on developing actuator configurations 
that would improve the system performance, and consideration of 
the practical aspects of sensor/computer and computer/actuator 
interface implementation. The study results were intended to 
form the basis for the preparation of procurement specifications 
for flight control components for the final phase of the F-8C 
DFBW program. 

The system configurations to be considered were somewhat 
constrained by a desire to utilize as much as possible of the 
equipment planned for the F-8C DFBW Phase Ila and by the space 
and power limitations of the F-8C airplane itself. In addition 
to failure probability, the system characteristics of cost and 
maintainability were evaluated and used as the basis of a trade- 
off comparison. Early in the study period NASA made a decision 
that the F-8C DFBW Phase Ila and Phase Ilb programs should be 
combined and oriented to support the development of the Space 
Shuttle flight control system. 

Accordingly, an additional characteristic of "applicability 
to Shuttle flight control development" was added for use in the 
tradeoff. 



Five basic configurations were defined as appropriate can- 
didates for the F-8C research tasks . Options on the basic con- 
figurations were included to cover variations in sensors ^ redun- 
dancy levels, data transmission techniques, processor input/ 
output methods , and servo actuator arrangements . 

In regard to actuators, the dynamic performance required 
for control law research was determined, the existing perform- 
ance was analyzed, and the sources of deficient performance were 
identified. Several ways of modifying and improving the actu- 
ators were analyzed, and the salient requirements on new compo- 
nents were determined. 

The results indicate that at least triple redundancy plus 
a high degree of in-line monitoring will be necessary to meet 
the failure probability goal of 1.0 x 10~^, excluding the effect 
of analog backup channels. At this level of reliability, the 
distribution of failure rate through the different areas of the 
system (e.g. sensors, computers, or actuators) is such that if 
any one area is given more redundancy - for instance, 4X com- 
puters with 3X sensors and actuators - the less redundant areas 
become limiting factors and little overall improvement is noted. 
The application of data busing techniques to a given system 
will have little effect on failure probability unless the origi- 
nal system lacks all crossfeeds. However, for the purpose of 
aiding the Shuttle flight control system development, it is 
recommended that a triple system with data bus be used. 

The secondary actuator performance is marginal for use with 
current (Phase I) control laws and will be inadequate for ad- 
vanced control law (CCV) research. The performance can be made 
satisfactory by installing improved electrohydraulic valves and 
redesigning the servo mistrack and failure detection arrangement. 
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SECTION 2 


INTRODUCTION 


PRIOR STATUS 


NASA is currently engaged in a flight test program to 
explore the potential of Digital Fly-By-Wire Flight Control 
Systems. The NASA Flight Research Center has responsibility 
for the program and is supported by the NASA Langley Research 
Center in the area of flight control software and hardware 
functional design. 

The Phase I portion of the program demonstrated completely 
fly-by-wire flight using an F-8C aircraft modified by replacing 
the mechanical flight control system with a fly-by-wire system 
which utilized an Apollo computer and inertial measurement unit, 
together with specially designed actuators and interface elec- 
tronics. The digital portion of the system was single channel 
(non-redundant) with flight safety being assured by the instal- 
lation of a triple-redundant analog direct stick-to-actuator 
electronic control system. 

The performance of the digital fly-by-wire (DFBW) system 
in Phase I , although adequate for an initial investigation 
(refs. 1, 2) was limited by the basic characteristics of the 
Apollo equipment, particularly in regard to output granularity. 

The original Phase Ila program plan called for improving the 
sensor/digital electronics by replacing the Apollo equipment 
with state-of-the-art flight control sensors, and by using IBM 
AP-101 digital computers. The sensors and digital electronics 
were to be arranged in a dual-redundant configuration, with 
ultimate flight safety again being assured by the retention of 
the triple- analog backup system. 

In Phase Ilb, it was intended to convert the sensors and 
the digital electronics to a completely fail-operational con- 
figuration with high mission reliability, and remove the analog 
backup. The current study was intended to provide suitable 
conceptual designs for the Phase lib fail-operational DFBW 
system. 

Soon after the initiation of this study effort, NASA re- 
oriented the F-8C DFBW program. First it was established that 
the Phase lib DFBW FCS should be configured to support develop- 
ment of the Space Shuttle flight control system as much as practi- 
cable; then a further decision was made to combine Phase Ila and 
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Phase Ilb in the interest of economy and schedule. Finally ^ it 
was decided to retain the analog backup system (BCS) in the 
interest of maximizing flight safety. 


PURPOSE 


The purpose of the subject study was to perform a pre- 
liminary design study which would define digital FEW system (s) 
suitable for the last phase of the F-8C DFBW program. Further, 
particular attention was to be paid to the improvement of the 
secondary actuators used in the Phase I program. The results 
of this study were originally intended to be used as a basis for 
the preparation of procurement specifications, which would de- 
fine the modifications, or new equipment, necessary to convert 
the dual fail-safe Phase Ila system into a fail-operational 
Phase lib system. 

Because of the reorientation of the program, study results 
are less detailed than originally envisioned, but instead, cover 
design concepts for several systems which would be applicable 
not only to the specific F-8C program but to the development of 
FEW systems for transport aircraft in general. 


CONDITIONS OF STUDY 


The program as originally planned involved the collection 
of data from the NASA Langley and Flight Research Centers, the 
C. S. Draper Laboratory (design of the Phase Ila DFBW System), 
Ultra- Sys terns , Inc., and IBM, Inc. 

The revised program, because of the emphasis placed on ap- 
plication to the Shuttle development, added the NASA Johnson 
Space Center and Rockwell International as sources of data. 

This reorientation of the study did not occur immediately at the 
start, but took place over a period of about two months. This 
situation, plus the fact that the design of the Phase Ila equip- 
ment was not completed prior to the combination of Phase Ila 
with Phase lib (which necessitated considerable redesign) , 
caused the documentation on the Phase Ila system to be rather 
sparse . 
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SCOPE 


In the reoriented study , several configurations, either 
specifically tailored to the F-8C program or applicable to trans- 
port use, were compared in a tradeoff matrix with regard to 
mission reliability, applicability to the Shuttle flight con- 
trol system development, and other features » The configurations 
considered were primarily those which could be based on equip- 
ment planned for Phase I la and meet the space and power limita- 
tions of the F-8C airplane. However, for the sake of generality, 
some configurations exceeding the airplane limits were included. 

The secondary actuator performance improvement, because of 
the emphasis placed on it, was treated somewhat separately from 
the study of the sensor/computer combination, but in a way that 
makes the actuator recommendat.' ons suitable for all configura- 
tions studied. 

Those configurations which appeared useful on the basis of 
mission reliability were examined in some detail to indicate 
potential implementation problems or peculiarities. Because of 
the timing of the Phase II equipment design, recommendations 
for actuator improvements were prepared midway through the 
study and made available for NASA's use. 


EARLIER WORK 


The current study is by no means the first in which the 
design of highly reliable flight control systems, whether digi- 
tal or analog, has been considered. In the early '60's, con- 
siderable work was done on the subject in the X-15, X-20, Gemini, 
Apollo, F-111, and SR-71 programs (refs. 3, 4, 5, 6). Much more 
recently, several papers describing current state-of-the-art 
development in this field were presented at a NASA Symposiiim in 
July of 1974 (e.g. refs. 7, 8, 9). These references are not 
all-inclusive, but they are believed to be representative of the 
historical development and current status of highly reliable 
flight control systems. 


SIGNIFICANCE 


In the past few years several research programs (e.g. the 
Air Force LAMS and the NASA ATT programs) have analyzed and pre- 
dicted the benefits of flight-critical electronic control and/or 
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complete fly-by-wire control systems. These studies and 
tests have shown the benefits of FBW control to range from 
minor to very impressive. In light of these results, the cur- 
rent study is significant in that it indicates that a satisfac- 
torily reliable (comparable to current mechanical/hydraulic con- 
trol systems) DFBW system can be built using available transport- 
quality components. Further, it is shown that there are a 
variety of system configurations which can meet the basic reli- 
ability requirement. Each has particular desirable features, 
thus allowing an efficient match of future DFBW control systems 
to specific mission/aircraft requirements. 
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SECTION 3 


LIST OF ABBREVIATIONS AND SYMBOLS 


A/D 

- 

Analog/digital 

ATE 

- 

Automatic test equipment 

AWG 

_ 

American wire gage 

BCS 

- 

Backup control system 

BCD 

- 

Bus control unit 

BIT 

- 

Built-in test 

CAB 

- 

Civil Aeronautics Board 

CCV 

- 

Control configured vehicle 

CEP 

- 

Circular error probability 

CPU 

- 

Central processor unit 

D/A 

- 

Digital/analog 

DAIS 

- 

Digital Avionics Information System 

DB 

- 

Data bus 

DFBW 

- 

Digital fly-by-wire 

EHV 

- 

Electrohydraulic valve 

EMI 

- 

Electromagnetic interference 

FAA 

- 

Federal Aviation Administration 

FCS 

- 

Flight control system 

FDM 

- 

Frequency division multiplexing 

Hz 

- 

Frequency cycles per second 

IBM 

- 

International Business Machine Corp. 

I/O 

- 

Input/output 



lOP 


LRU 

LVDT 

MDM 

MHz 

MIA 

MUX 

NASA' 

NASA- 

NRZ 

NTSB 

SSIB 

TDM 

VCO 

X 

y sec 
c 


- Input/output processor 

- Line -rep lace able unit 

- Linear variable differential transformer 

- Multiplexer demultiplexer 

- Megahertz 

- Multiplex interface adapter 

- Multiplexed 

■FRC - NASA Flight Research Center 
LaRC - NASA-Langley Research Center 

- Non return to zero 

“ National Transportation Safety Board 

- Svibsystem interface board 

- Time division multiplexing 

- Voltage-controlled oscillator 

- Failure rate (failures per hour) 

- Microsecond 

- Mean aerodynamic chord, feet 
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SECTION 4 


FLIGHT TEST VEHICLE DESCRIPTION 


The first aircraft flight tests of a digital fly-by-wire 
control system were conducted in Phase I of the NASA Digital 
Fly-by-Wire program at the NASA Flight Research Center. In this 
first phase of the program, an F-8 aircraft was modified by 
replacing the mechanical flight control system with an Apollo 
lunar guidance computer, an inertial measurement unit, an elec- 
tronic backup system, and an electrohydraulic secondary actua- 
tion system. 


GENERAL 


NASA 802 is a highly modified LTV F-8C. The aircraft is 
the prototype F-8C, Navy BUNO 145546, and has been a flight test 
vehicle since manufacture in 1958. Its flight limits are; 


Mach 

Airspeed 

Altitude 

Roll while in DECS 
Pitch while in DECS 


1.1 

600 KIAS (1111.9144 KPH IAS) 
50 000 ft (15,240 meters) 
70°/sec 
+60° 


Engine 

A Pratt and Whitney J57-P20A engine is installed in place 
of the standard J57-P16. MIL thrust of the J57-J20A is approxi- 
mately 10 800 lb (4909 kg) and A/B thrust is about 18 000 lb 
(8181.8kg). 


Actuators 

The five dual-tandem surface power control cylinders uti- 
lize the existing dual hydraulic supply systems, PCI and PC2. 
The ram air turbine can supply hydraulic pressure as a backup 
for PCI. 

Each power control cylinder is positioned by a hydraulic 
secondary actuator (designed and manufactured by Hydraulic 
Research and Manufacturing) . The secondary actuators are posi- 
tioned by electrical commands from either the primary or backup 
systems . 
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Each secondary actuator has four electrohydraulic valves 
operating into three separate hydraulic cylinders supplied by 
the two hydraulic systems , A fifth valve mounted on the actuator 
body is used only for comparison. The primary system is identi- 
fied as channel 1 and is controlled by the digital system. The 
backup systems are all identical and are identified as channels 2 , 
3, and 4, As shown in Figure 1 PCI supplies pressure to chan- 
nels 2 and 4 while PC2 supplies pressure to channels 1 and 3. 

The valve engage circuits are designed to prohibit simultaneous 
drive from the primary and backup systems . 


Electrica]. System 

The electrical power distribution system is currently rep- 
resented by the diagram shown in Figure 2. A lOOA, 30V d-c 
flight control system (FCS) direct-drive generator is installed 
on the J57-P20A engine. 

Four 11 ampere hour nickel cadmium batteries are mounted in 
the aircraft to supply emergency power to each of the four FCS 
buses. They can supply a minimum of one hour BCS operation, and 
10 minutes of primary operation. 

A high-capacity generator is installed on the ram air 
turbine. Its rating is 4.2 KVA, and 30A dc. 


Flight Controls 

The flight control system uses the control stick and rudder 
pedals to operate three sets of linear variable differential 
transformers (LVDT) for each axis. 

The standard aircraft feel system has not been altered 
except for the addition of a roll stick viscous damper located 
on the stick linkage in the main generator bay. The standard 
F-8C grip has been removed and replaced with a modified Air 
Force B-8 grip. 


Control System Operation 

Control system operation is controlled by the pilot uti- 
lizing a Mode panel (located on the instrument panel) and a 
Status and Engage panel (located on the left console) . 

By means of the Mode panel, the pilot can select the mode 
in which the aircraft flight controls will function. The Mode 
panel also displays, via lights, the status of various compo- 
nents of the digital portion of the flight control system. 
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Figure 1. Hydraulic Supply Distribution to the 
Secondary Actuator 



Figure 2. Electrical Power Distribution System 









V 


PHASE I - DPBW COH FI DURATION 


Figure 3 illustrates the overall system mechanization of 
the Phase 1 system. Tht: pilot *s sticky pedal, and trim inputs 
were routed to the digital computer as inputs to the primary 
aygteiii and to the analog electronics as inputs to the backi^ 
control system. A single- channel digital primary configuration 
wag chosen for the first phase to obtain eKperianea with the 
digital control aspects early in the total fly-by^wire program. 
This subsystem, consisting of a digital cwnputer, an inertial 
measureiuant unit, and a coupling data unit which contains the 
interface digital-to-analog and analog-to-dlgital converters was 
assembled from high-reliability coniponents of the Apollo guid^ 
ance system. The total aystom design required two fail-opera- 
tional reliability; therefore, a triple -channel analog backup 
system was mechanized. 

The Apollo lunar guidance computer was the heai:t of the 
system. The control laws, coordinate transformations, signal 
conditioning, and filtering were programmed on the guidance 
computer together with self test and failure monitoring logic. 
I>Qdicated hardware within the guidance computer accepted pilot 
control inputs directly. The feedbacks used in the r?ahtxol laws 
were derived from signals from the Apollo inertial meaeureioent 
unit. The inertial measurement unit outputs were gimbal angles 
and three-axis pulse-integrating pendulous accelercmeter signals 
referred to a local vertical alignment of the stable platform. 
The discrete accelerometer signals entered the guidance computer 
directly, but the giwibal angle signals wont through an analog-" 
to-digital conversion in the coupling data unit. The digital’- 
to-analog conversion of the secondary servo actuator comraands 
was also perforfued in the coupling data unit. 


PHASE 11a ” DFBIf OOHFIGUHATION 


The Phase Ila DFEW configuration was planned to be a dual- 
channel, fail-safe digital fly-by-wire system using stato-of- 
the-art ccinputar components. Figure 4 shows a functional block 
diagram of one phase lla configuration considered. 

This configuration was intended to provide a versatile aya- 
tem that could be used for general research on digital control 
sygtenis* The digital aystem ueed an IBM APlCl general-purpose 
processor in each of the two channels. The input/output func- 
tion was provided by two Charles S. Draper Laboratory- designed 
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Figure 4 . 


Phase IIA Digital FEW Control System 
Block Diagram for a Typical Surface 


SURFACE 


























interface units. Conventional rate gyros, attitude gyros, and 
accelerometers furnished the feedback required for the control 
laws. The triple -channel backup control system included sepa- 
rate backup sensors feeding the Sperry analog backup electronics 
to provide augmentation. The actuator arrangement was essen- 
tially identical to the configuration used in the Phase I portion 
of the program. 


LIMITATIONS DISCLOSED BY PHASES I AND Ila 


The early phases of the program disclosed a number of limi- 
tations that must be considered in the continuing programs. 


Electrical Power Limitation 

Information from NASA-FRC has indicated that the aircraft 
electrical system is capable of supplying the Phase Ila con- 
figuration described previously but would be overloaded if any 
significant additional load (such as a third AP 101 processor) 
was added. 

The servo engage valves are one of the significant users 
of power. The system includes 20 engage valves and each valve 
requires approximately one ampere. During operation with the 
primary flight control system, all engage valves must be energized; 
consequently, 30 X 1 X 28 or 560 volt-amperes of power are re- 
quired for this purpose alone. 

A single lOOA, 30V d-c generator for FCS use is currently 
installed on the aircraft. Power from this generator is supplied 
through various switching and circuit breakers to four FCS buses . 
This generator could be replaced with a 200 or 300A generator. 
However, the larger generators require more space and could re- 
quire some additional modification, such as additional buses or 
heavier wiring. 


Hydraulic Power Limitation 

Hydraulic power limitations were noted on several occasions 
during the Phase I flight test. During the landing mode at low 
engine rpm and with considerable turbulence close to the ground, 
the hydraulic pressure drop fr on high surface activity operation 
sometimes caused reversion to the backup control system. 
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This problem could be solved by replacing the present 
hydraulic pimps with higher-capacity pumps. The space avail- 
able in the area of the pumps is very limited, however, and such 
replacement may require additional aircraft modifications. 


Secondary Actuator Hysteresis and Granularity 

The design details and performance of the secondary actuators 
are described in ref. 10. Sperry indicated in an unpublished re- 
port that in the course of pilot evaluation, performed on the NASA 
F-8C DFBW simulator with actual servos, the nonlinearity levels 
(hysteresis and granularity) were found to be much larger than 
typical. The report states: "This characteristic caused completely 
unsatisfactory performance in all negative-static margin (48 per- 
cent of eg) pitch configurations, except power approach. In the 
positive static margin (forward eg) configurations, the hysteresis 
and granularity non-linearities generally resulted in poor damping, 
not a sustained limit cycle." 

The report recommended that all secondary actuator non- 
linearities be reduced such that the single-servo channel total 
hysteresis or granularity not exceed 0.1° of surface. However, 
it noted that "the improved system will still exhibit oscilla- 
tions which we feel will prove unacceptable". 


Equipment Bay Space Limitations 

Figure 5 shows the primary locations allocated for DFBW 
components in the flight test aircraft. 

The largest compartment is located directly behind the 
pilot. Most of the system electronics components are mounted 
on a pallet, removable as a unit, in this compartment. The en- 
velope dimensions defining the particular shape and voliime 
capable of being housed in this compartment are specified in 
Figure 6 . 

It is apparent that equipment bay space is very limited in 
the aircraft. Introduction of a third computational channel 
will require essentially a completely new layout of the equip- 
ment in the pallet area and likely necessitate moving some com- 
ponents to other areas . Some small components may be accomo- 
dated in the nose area, for instance. 

Possible methods of providing additional space include 
modification of the aircraft structure to provide faired bulges, 
or mounting equipment in pods which could be attached to the 
wings . 
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Figure 5. Location of DFBWFCS Components 
in Aircraft 
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Figure 6. DFCS Palletized Assembly Envelope 
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SECTION 5 


SYSTEM DESIGN CONSIDERATIONS 

FCS REQUIREMENTS 


The requirements defined for the F-8C DFBW control system 
may be divided into six categories: 

o Functional 
o Performance 
o Reliability 
o Safety 

o Maintainability 
o Operational environment 

The requirements in these categories are derived from a 
nxoKiber of sources which, in some cases, have been inconsistent. 
Consequently, this section attempts to integrate these sometimes 
differing viewpoints into a rational set of realizable goals. 

The primary source of requirements is the contractual state 
ment of work for this preliminary system design study. Other 
influences on the final requirements are due to the results and 
problems encountered in the Phase I flight test program, the 
effects of reorientation to support the Space Shuttle DFBW con- 
trol system development, the progress and results of the Recon- 
figurable Computer study, and the progress and results of the 
Advanced Control Law study recently completed by Honeywell under 
NASA contract NAS 1-12 6 80. 

The basic objective of this study as it has developed is 
the conceptual design of a reliable digital fly-by-wire control 
system for the F-8C research aircraft directed toward the last 
phase of the program with flight test beginning in early 1976. 
The following subsections define the requirements for this con- 
trol system, their source, and rationale behind them. 


Functional 

Full-digital fly-by-wire . - The Phase lib flight control 
system shall be completely controlled by digital means. All 
input commands, feedback signals, and mode selection signals 
shall be provided to the digital processor (s) where control law 
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computation shall be performed. No mechanical or analog backup 
control system shall be required to satisfy the specified reli- 
ability requirements. 

Control modes . - The flight control system shall provide 
modes and functions which can be categorized as conventional 
augmentation/autopilot functions or as advanced control concepts 
as indicated below; 

1. Conventional augmentation/autopilot functions 

A) Three-axis augmentation 

B) Coiraaand control modes 

2. Advanced control concepts 

A) Stability augmentation of a statically unstable 
airframe 

B) Maneuver load control 

C) Ride quality control 

D) Envelope limiting (such as g limit control) 


Performance 

The contractual statement of work for this study did not 
specify flying qualities or an applicable flying qualities 
specification. It is assumed that the performance requirements 
established for the unaugmented aircraft would be the minimum 
acceptable, however significantly improved performance capability 
in accordance with the research purposes of the program is 
expected. 

Flying qualities shall be at Level 1 as defined in Paragraph 
1.5 of MIL-F-8785B (ASG) when all aircraft systems are operating 
normally. 

Flying qualities shall be maintained at Level 1 (as above) 
in the event of any single failure. Failures that result in 
flight envelope restriction or mission degradation shall be 
indicated on an advisory panel. Failure transients shall be 
minimized. , 
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Reliability 


Reliability of the FCS shall be such as to obtain a fail- 
ure rate no greater than 10~^ complete flight control system 
failures per hour. This level of reliability is validated as 
being reasonable and acceptable by data from CAB and NTSB sources 
(refs. 11 and 12) for the period 1962 - 1969, which show the 
mechanical primary flight control systems of commercial aircraft 

experienced a failure rate of 1.19 X 10“^ failures per flight hour. 

Configurations including possible single-point failure 
modes shall not be permitted regardless of the reliability level. 
Failure compensation, in accordance with the reconfigurable 
computer concepts, shall be automatic upon detection of the 
failure. 


Safety 


To assure flight safety, all candidate configurations will 
be designed to satisfy the Federal Aviation Regulations for air- 
worthiness of transport aircraft; FAR 25. The FAR paragraphs 
considered applicable for the FCS are: 


25.671: General (control system) 

25.672: Stability augmentation and 

automatic, and power operated 
systems 


25.1301; Equipment systems and installations 


25.1329: Automatic pilot system 


) 


Backup System 

It has been decided by NASA-Flight Research Center that an 
analog backup control system must be provided to alleviate flight 
test risks, A number of reasons may be cited to justify this 
stand ; 

1) This is a one-of-a-kind vehicle and experimental 
system. Loss of the aircraft would represent a 
very serious loss of investment in the program 
and would probably bring research in this impor- 
tant area to a standstill for some time. 
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2) Modifications to the aircraft and/or test systems 
are very common in this type of a research program? 
therefore, the probability of introducing failures 
is greater, and consequently, improved safeguards 
must be provided. 

3) The possibility of an undiscovered single-point 
failure existing in a system under development is 
much more likely than in a production system. 


Maintainability 

The contractual statement of work specifies the flight con- 
trol system unscheduled maintenance rate shall not exceed 0.02 
maintenance man-hours per flight hour and scheduled maintenance 
shall not be required at less than 300 hr of flight. 

Specification of such an unscheduled maintenance rate is 
applicable to a long-term operational program involving large 
numbers of aircraft with a well-defined maintenance structure 
using automated test equipment; however, it does not appear to 
be appropriate for a development program such as this . Deter- 
mination of maintenance ratio requires a detailed definition of 
the configuration and maintenance philosophy which was not in 
accordance with the planned scope of this study. Consequently, 
Honeywell did not define or utilize maintenance ratio in evalu- 
ating the candidate configurations. However, the mean-time- 
between-maintenance actions (based upon summation of piece part 
failure rates) was determined for each configuration in the 
tradeoff . 

The most immediate concerns with regard to maintainability 
are that the techniques assure a safe control system: one that 
is easily and swiftly maintained, that detects and prevents 
latent failure buildup, and that provides this capability at a 
minimum program cost. 


Operational Environment 

The system shall be capable of operating undegraded under 
any logical combinations of climate and transport aircraft en- 
vironmental factors as specified by the FAA and as will likely 
be experienced by the F-8C aircraft. 

Test flights will be conducted at NASA/FRC Edwards AFB , 
California. Test flights will have an approximate time duration 
of two hours. Various combinations of the environments speci- 
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fied herein can occur simultaneously, with the exception of 
vibration and shock. 

The DFBW control system shall operate during environmental 
exposure and shall operate within performance specifications 
after non-operating exposure to the following environments: 

o Altitude - The components in electronic equipment 
compartments shall be exposed to ambient pressures 
equivalent to altitudes between sea level and 15 240m 
(50 000 ft) . 

The components within the cabin shall be exposed to 
ambient pressures equivalent to altitudes between 
sea level and 15 240m (50 000 ft) . 

o Temperature - The components in electronic equipment 
compartments shall be exposed to ambient temperatures 
between -55“C (-65®F) and +55“C (+131®F) . Ambient 
temperature is that temperature of the immediate 
surrounding air and structure adjacent to the equip- 
ment. 

The components within the cabin shall be exposed 
to (ambient temperatures between -55®C (-65“F) and 
+55“C (+131“F) . 

o Temperature/altitude - The components in electronic 
equipment compartments shall be exposed to the tem- 
perature/altitude environment as illustrated in 
Figure 7 . 

The components within the cabin shall be exposed 
to the temperature/altitude environment as illus- 
trated in Figure 7. 

o Shock - All components shall withstand exposure to 
shock in any direction having a terminal peak saw- 
tooth waveform with an amplitude of 10 g and a 
time duration of 15 ms . 

o Acceleration - All components shall withstand 
exposure to acceleration of a maximum g level as 
indicated below. 


Fore 

6.0 

Aft 

2.0 

Up 

3.0 

Down 

9.0 

Lateral 

4.0 
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ALTITUDE / 304.8 (METERS) 



Figure 7. Altitude Versus Temperature 


o Electromagnetic interference - The requirements 
of MIL-STD-461 (A) shall apply to the DFBW flight 
control system as indicated in Table I. 

o Natural hazards - The DFBW control system shall be 
mechanized to minimize any effects in the event the 
aircraft is struck by lightning. 

° Vibration - The DFBW control system shall withstand 
exposure to sine wave vibration as indicated in 
Figure 8 . 

o Ground environments - The environmental extremes 
during transportation, handling, and storage shall 
not exceed the flight environments and the following; 
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TABLE I. “ EMI REQUIREMENTS 


Test 

Area Tested 

Range 



CEOl 30 Hz - 50K Hz 


Power 

CE02 lOK Hz - 50K Hz 

- 

lines 

CE04 50K Hz - SOM Hz 

Conducted 

emission 

(CE) 




Signal 

CEOS 30 Hz - 50K Hz 


control 

lines 

CEOS SOK Hz - SOM Hz 

Radiated 



emission 

Electric 

RE 02 broadband 14K Hz-IG Hz 

(RE) 


RE 02.1 14K Hz-12. 4G Hz (C.W.) 

Conducted 

Power 

CS -6 SPIKE (±2 X V power 

susceptibility 

lines 

leads ) 

(CS) V 



(2.54MM) 0.1- 
(.9I4MM) 0,036- 


^ 1 r 

+ I 
I I \1^ 


- TOLERANCE -TBD 


•56 (PEAK) 


5 14 23 52 

FREQUENCY (Hz) 


Figure 8. Vibration Profile 







a) Relative hiamidity - Relative humidity of up to 100 
percent and conditions wherein condensation takes 
place in the form of water or frost for periods of 
time of up to 12 hr maximum. 

b) Sand and dust - Sand and dust external to the air- 
plane encountered in desert areas and having a 
test equivalent of 140-mesh silica flour with a 
particle velocity of up to 500 ft/min (152.4 M/min) 
and a particle density of 0.25 g/ff^ (8.83 g/M'^) . 


PERFORMANCE 


Potential Performance Improvement 

Projection of the performance improvement already achieved 
with analog fly-by-wire control provides anticipation of the im- 
provement which may be expected from digital fly-by-wire systems. 

Analog fly-by-wire control technology was fully validated 
with the successful completion of the AF 680J Survivable Flight 
Control System Program. Applicable fighter flight control laws 
were demonstrated under realistic tactics in the F-4C TWEAD 
(Tactical Weapon Delivery) control augmentation program (ref. 13) 
which demonstrated significantly improved unguided weapon de- 
livery performance over conventional F-4 aircraft. For example, 
in two separate sets of testing, dive bombing CEP was reduced by 
27 percent with the TWEAD system. Improved air-to-air tracking 
perfoinnance over the conventional F-4 SAS was also achieved with 
TWEAD. 

Handling qualities improvement attainable in transport air- 
craft has also been investiaged (ref. 14) in a C-141 equipped 
with a two-axis side-stick and a fly-by-wire command augmentation 
system. Flight test results have demonstrated significant re- 
ductions in pilot workload, and hence, less pilot fatigue. In- 
stead of high-control column forces for performing large maneuvers, 
simple wrist action with lower stick forces provided precise con- 
trol of the large aircraft with a minimxim of effort. 

In addition to these capabilities of fly-by-wire controls 
in the area of dynamic performance and handling qualities, a 
digitally implemented system can, because of its inherent preci- 
sion offer improvement in mode control and redundancy management. 
The design factors critical to the realization of these potential 
improvements are discussed briefly in the following paragraphs. 
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Critical Factors in Digital Design 

The design of an aircraft digital controller to meet dynamic 
performance objectives can be approached in two ways: 1) satis- 
factory analog controller transfer functions can be approximated 
to the required degree by digital computation; or 2) direct- 
digital design techniques (perhaps in conjunction with optimal 
control.^ theory) can be used to define a digital controller with- 
out going through the initial analog design stage (the constraints 
placed on an optimal controller for manned aircraft by airframe 
and pilot factors usually result in control laws fairly similar 
to those of a well designed analog system) . 

In either case^ the more important factors of the digital 
design in regard to performance are: 

o Digital word length 

o Iteration rate 

o Transport delays (other than deliberately 
introduced filter time constants) 

o Filter algorithms 

During the past several years, a number of studies on these 
subjects have been published by industry and government agencies 
and the trade-off and requirements are fairly well-established. 
Software techniques for implementing digital control in specific 
computers have also been developed and used, although less 
literature is available on this aspect. Example studies on these 
factors are the subjects of refs. 15 through 17. 

Mode control and redundancy management are influenced by 
processor design features such as: 

o Priority interrupts 

o Synchronization circuitry 

o Crossfeed (intercom) provisions 

o Self-test capability 

Virtually all processors include at least one external inter- 
rupt. The availability of additional interrupts can simplify both 
processor modifications and software design when implementing re- 
dundant systems. Similarly, the availability of circuitry to 
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permit synchronization and direct communication of two or more 
processors in a multicomputer or multiprocessor configuration 
can facilitate implementation without hardware modification. 

A high degree of self-test capability can, of course, sig- 
nificantly influence redundancy management concepts . This capa- 
bility is largely obtained by writing the required test routines 
into the system software, but memory size and access to certain 
registers can affect the extent to which the self-test can be 
carried. ' 

The availability of the aforementioned features indicates 
to some extent the ease with which a particular computer can be 
adapted to implement a redundant configuration. However, these 
features are not so unique that they cannot be provided by modi- 
fication or expansion and thus almost any digital computer with 
sufficient speed could be adapted to redundant operation. 

In the case of applying the IBM AP-101 computer to the F-8C 
DFBW FCS there is no doxibt that it can meet the dynamic perform- 
ance requirements, and with reasonable care in designing I/O and 
crossfeed circuits, the redundancy requirements as well. 


Control F;anction Criticality 

Control functions interact with redundancy requirements 
in two areas: (1) the "criticality” associated with the parti- 

cular control function and (2) and analytic nature of the control 
function. Control functions may be categorized by criticality 
as follows : 

o Flight-critical during entire mission 
o Flight-critical during a portion of the mission 
o Flight-critical for certain flight regimes 
o Mission-critical (not flight-critical) 

The first category consists of the functions which, when 
lost, could lead to the loss of the aircraft in any flight re- 
gime such as fly-by-wire flight control and flutter control. The 
second category consists of control functions which, when lost, 
could lead to loss of the aircraft during limited portions of the 
mission. An example of this, although not part of this study, 
is auto- land. The flight-critical for certain flight regimes 
category might include functions such as augmentation of air- 
frame static stability. Loss of these control functions pre- 
cludes the aircraft operation in certain flight regimes . 
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The mission-critical (not flight-critical) functions are 
those which, when inoperative, preclude the completion of a 
specific mission but whose loss does not compromise the safety 
of the aircraft. By categorizing the control functions in this 
manner, an assessment of the redundancy requirements can be made, 
and computer capacity, signal flow, and other flight control sys- 
tem requirements may be determined. 

The analytic nature of control functions also impacts 
redundancy. Examples of such factors are gain variations, sig- 
nal dynamic ranges and foiiward-loop integrations . 

Alteration of the gain of a given signal path may require 
alteration of the comparison monitoring to ensure valid inter- 
channel mistrack detection and yet avoid nuisance disengagements. 

Comparison monitoring of signals having large dynamic ranges 
must be given special attention. For example, it may be de- 
sirable to provide limited mistrack threshold alteration as a 
function of the average signal magnitude of the redxindant 
channels . 

Perhaps the most significant aspect of the control function 
analytic nature that must be considered is whether or not for- 
ward-loop integration is present. If forward- loop integrators 
are present, it is necessary to employ techniques which constrain 
the integrators to track together. Two basic approaches are 
evident. First, by crossfeeding an integrator-to-integrator 
output error signal, the integrators can be forced to track. 
Second, if identical signals are processed by the computers, the 
integrators will track together. The selection of integrator 
equalization technique will impact the redundancy technique in 
general and the final system configuration in particular. 


RELIABILITY 


Realistic Reliability Goals 

The F-8C DFBW program presents a unique and diverse set of 
reliability requirements. The vehicle is a military aircraft 
operating in a research environment to possibly simulate commer- 
cial transport problems. Therefore, the F-8C DFBS flight control 
system should be 1) sufficiently safe for flight test purposes 
(perhaps military reliability requirements are applicable) and 
2) representative of acceptable commercial transport systems. 
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A commercial transport fly-by-wire control system function 
must be fully dependable. Probability of total loss-of-function 
should be no greater than the probability of encountering a mech- 
anical control system or major structural failure# although this 
level may not be achieved in a research and development situation. 

The specification of reliability design requirements for 
electrical control systems is a complex and crucial function as 
these reliability requirements establish the redundancy levels 
for not only the control channels, servo actuators, and sensors, 
but equally important, the electrical and hydraulic supplies. 

It now appears, from recent data, that early failure rate goals 
established for fly-by-wire control systems may have been overly 
severe in comparison to the results being experienced on conven- 
tional control systems in many of our current military aircraft 
designs . 

Representative Air Force safety data (ref. 18) for a period 
of 10 years (1964 to 1973) show a current fighter aircraft loss 

rate due to flight controls at a rate of 54.6 per 10^ flight 
hours and due to hydraulic systems of 35.1 per 10^ hours for a 
combined rate of 89.7 per 10^ flight hours. Large bomber and 
transport aircraft are exhibiting a major accident rate of 5.5 

per 10^ flight hours due to flight control system failures. 

Rotary wing aircraft are typically encountering losses equiva- 
lent to 19.2 per 10^ flight hours for flight control failures, 
and 9.6 per 10^ flight hours for hydraulics for a combined total 
rate of loss of 28.8 per 10^ flight hours. 

Navy data (ref. 18 and 19) indicates equivalent primary 
flight control system- related aircraft loss rates. During the 
10-year time period of 1960 to 1970, analysis of the F-4, F-8, 

A-5 , A-6 , and A-7 fighters shows a combined average of 55 aircraft 
losses per 10^ flight hours due to flight controls and an average 
aircraft loss rate of 34.7 per 10^ flight hours due to hydraulic 
systems for a combined total of 89.7 per 10^ flight hours. The 
average Navy mishap rate due to flight controls (accidents, in- 
cidents, and ground accidents) was 9.4 mishaps per 10^ flight 
hours. This mishap rate is approximately 20 times higher than 
the loss rate. This same report suggests that a more realis- 
tic failure rate goal for fly-by-wire controls would be 20 air- 


29 



7 

craft losses per 10 flight hours not including aircraft elec- 
trical or hydraulic power. This goal would represent a three- 
to-one improvement in safety over current conventional fighter 
primary flight control system experience. 

A nianber of papers on fly-by-wire systems for commercial 

-7 

transport axrcraft have used a goal of 2.3 x 10 failures per 
hour which was based upon CAB/FAA commercial transport data in 
the 1949 to 1952 time period and did not include fully powered 
controls. More recent data for the period of 1962-1969 from CAB 
and NTSB sources show the mechanical flight control systems of 
commercial transport aircraft experienced a failure rate of 1.19 

_7 

X 10 failures per flight hour. 

A goal of less than 1 x 10“® failures per flight hour has 
been cited as realistic for the 1980-85 advanced transport 
flight control designs . 

This disparity of data and goals indicates the wide range 
of reasonable reliability goals which could be applied to the 

F-8C program. It is apparent that the 1 x 10“^ failure per 
flight hour requirement is not unreasonable for a transport air- 
craft, Yet, in the F-8C, this must be balanced against the cost 
required to achieve the goal as well as consistency with other 
aircraft systems such as electrical and hydraulic supplies. 


Preliminary System Reliability Analysis 

High operational reliability may be achieved by the proper 
application of the following features, individually or in 
various combinations : 

o Redundant channels 

o Independent backup system 

o Cross- feeding 

o Built-in test (both pre-flight and in-flight 
self-test) 

o In-line monitoring 
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o Reduced complexity 
o High-reliability parts 

The following simplified reliability analysis was performed 
early in the study to establish some reasonable preliminary sys- 
tem redundancy concepts based upon the relationship of these fac 
tors in the F-8C DFBW program. 

Flight control channel models considered . - The simplified 
channels and typical failure rates for the elements making up 
these channels are shown in Figure 9 . Additional assumptions 
made in the analysis are listed below: 

o Failure rate of a digital channel is in the range 
— —4 

of 10 to 10 failures per hour. 


4XI0‘5 


DIGITAL CHANNEL ( 3 AXES) 



SERVO VALVE 
I NPUTS 


3X10“^ 


6XI0"5 


6XI0’4 to 10“'^ 


TOTAL WORSE CASE: I0‘^ 
BEST CASE (NO SENSORS): 10” 


ANALOG BACKUP CHANNEL (SINGLE AXIS ) 



SERVO VALVE 
INPUT 


lO"-^ 2XI0"5 


3XI0"5 


TOTAL = 1.5 X lO'"^ 


Figure 9. Control Channel Models 

(Failure Rates per Hour) 
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o Failure rate of an analog channel is approximately 
1.5 X 10“'^ failures per hour per axis or for 3 
axes is 4.5 x 10“"^ failures per hour. 

o These systems do not include the actuation 

function; the probabilities of system failure 
do not include the probability of actuator 
failures or of electrical or hydraulic supply 
failures . 

o Mission time = 1 hour. 

o Perfect comparison monitoring and switching. 

o The analog backup is a stand-by triple channel 
function and requires two or three channels to 
perform the function. 

Redundant configurations considered . - The nine typical 
redundant configurations considered in this analysis are listed 
in Table II. In this table, the number of digital and/or back- 
up channels is indicated by numerical superscripts . The sub- 
script "C" indicates comparison-monitored systems, while the 
subscript "T" indicates self-test with 95 percent capability of 
detecting all computational faults is used in addition to com- 
parison monitoring. 

Pacing failure effects . - Table III shows the major cause 
for abort and major total system failure cause for each of the 
typical redundant configurations. The term "abort" used herein 
denotes the case in which a flight test mission is cancelled or 
not completed due to concern for flight safety as a result of one 
or more component failures. 
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TABLE II. - CANDIDATE SYSTEMS 


System 

Number of 
digital 
channels 

Number of 
anlg backup 
channels 

Type of 
digital 
monitoring 


2 

0 

Comparison 

Dq,2 

2 

0 

Comparison plus 
95% self test 


3 

0 

Comparison 


3 

0 

Comparison plus 
95% self test 

Dc^bS 

2 

3 (single 
fail op) 

Comparison 


2 

II 

Comparison plus 
self test 

Dc^B^ 

3 

II 

Comparison 

Dc2b2 

2 

2 

Comparison 

D^2b2 

2 

2 

Comparison plus 
95% self test 


TABLE III. - PACING FAILURE EFFECTS 


System 

Major abort cause 

Major total 
failure cause 


One channel fails 

One channel fails 

D.j.2 

One channel fails 

One channel fails and 
self test fails 

°c' 

One channel fails 

Two channels fail 


Two channels fail 

Two channels fail and 
self test fails 

Dc2b3 

One channel fails 

One channel fails and 
backup system fails 

Dj^b3 

One channel fails and 
self test fails 

Two channels fail and 
self test fails 


Two channels fail 

Two channels fail and 
backup system fails 

Dc^b2 

One channel fails 

One digital channel and 
one analog channel fails 

D^2b2 

One channel fails 

Two channels fail and 
self test fails 

















Probability of abort or failure calculations . ~ The calcu- 
lation of probability of abort and probability of total system 
failures for each of the ni re typical redundant configurations 
is included below. 

1) Two digital channels, comparison monitoring and no analog 
backup: For this configuration, it is assumed that any component 

failure will result in both an abort and total system failure, 

P (abort) = probability of abort. 

P (abort) = 2 Xpt = 2 x 10~^ to 2 x 10”^ 
where t = 1 hr 


-4 

P( total failure) = 2 Xj^t = 2 x 10 to 2 x 10 

2) Two digital channels, comparison plus 95 percent self-test 
and no analog backup; For this configuration it is assumed that 
the loss of any channel will result in an abort. 

P (abort) = 2 X j^t = 2 x lO"^ to 2 x lO”^ 
where t = 1 hr 

Further, it is assumed that if the first channel failure is 
detected by self-test (95 percent of the time) , the mission will 
continue with the one remaining channel. If the first channel 
failure is not detected by self-test (5 percent of the time) both 
channels will turn off via comparison monitoring and a total sys- 
tem failure will occur. 

A very close approximation of the probability of total sys- 
tem failure is 

P (total failure) = 2(0.05 X^^t) + 0.95 (X^^t)^ = 

(lO"*^ to 10“^) + (10"^ to 10"®) 
or 

P (total failure) = 2(0,05) X j^t = 10 ^ to 10 ^ 

where t = 1 hr 
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3) Three digital channels, comparison monitoring, and no 
analog backup: For this configuration, it is assximed that any 

single-channel failure will result in an abort. In other words, 
if only two channels out of the three are operating, the mission 
will be aborted. 

— ■3 -4 

P( abort) = 3;\^pt = 3 X 10 to 3 x 10 
where t = 1 hr 

For total system failure it is assumed that two of the three 
channels have to fail. With comparison monitoring at least two 
of the three channels must be operating for comparison. 


P (total failure) 


(3Xpt) {2\^t) 
21 


SX^^t^ = 3 X lO”^ to 3 X 10 ® 


4) Three digital channels, comparison + 95 percent self-test, 
no analog backup: For this configuration, it is assumed that two 

channels must fail for an abort, or if only one channel is work- 
ing, the mission will be aborted. 


P (abort) = 


(3Xj^t) (2Xpt) 


= 3Xp^t^ = 3 X 10“^ to 3 X 10 ® 


where t = 1 hr 

For mission reliability, it is assumed that if the second 
channel failure is detected by self- test (95 percent of the time) 
the system will continue to operate with one channel. On the 
other hand, if the second channel failure is not detected by 
self-test (5 percent of the time) the total system will turn off 
via comparison monitoring. 

A very close approximation of the probability of total sys- 
tem failure is 

OXj^t) (0.05) (2Xj^t) (3Xj^t) (2) (0.95) (Xj^t) (x^^t) 

P (total failure) = + 
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n,,- X. (3, ot) (.05) (2XDt) , 7 

The fxrst term: = 0.15 = 1.5 x lO"^ to 

D 

1.5 X 10"9 


The second term: 


Oxpt) (2) (.95) (xpt)^ 
31 


(Xpt) 


-9 -12 

10 to 10 


is small with respect to the first term and therefore can be neg- 
lected. 


P (total failure) 


(3Aot) (0.05) (2Apt) 
21 


0.15 ^t^ = 1.5 X 10"’^ 


to 1.5 X 10 


5) Two digital channels, triple-channel analog backup, compari- 
son monitoring: For this configuration, it is assumed that any 

digital channel failure will result in an abort. The failure 
status of the analog backup has no influence on an abort decision. 

P (abort) = 2Apt = 2 x 10“^ to 2 x 10~^ where t = 1 hr 

For mission reliability it is assumed that the one digital 
channel and the analog backup must fail for total loss of the 
system. With comparison monitoring between the two digital chan- 
nels, loss of any digital channel results in a total loss of the 
digital channels, and a switch to the analog backup provides ad- 
ditional redundancy, 

(2A t) (3A t) (2A t) 

P (total failure) = 

where 2Apt = 2 x 10~^ to 2 x 10""^ and 

A^ = analog channel failure rate = 4.5 x 10“^ 

Therefore, 

P (total failure) = (40.50) (10 to 10 

= 4 X 10 to 4 


X 10 


-11 
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6) Two digital channels, comparison monitoring + 95 percent 
self-test, with a triple channel analog backup: For this con- 

figuration, it is assumed that the loss of the digital function 
will result in mission abort. 


P (abort) = (2) (0.05) ^^t = 10”^ to 10 ^ where t = 1 hr 

For mission reliability, three sequences of failures could 
occur; 

o Failure Sequence 1. The first digital channel failure 
is not detected by the self- test (5 percent of time) . 

For this sequence, the two digital channels will turn 
off because of mis compare and the analog backup will be 
switched on, and the analog backup must fail (two analog 
channel failures) for a total system failure (complete 
loss of system function) . 

o Failure Sequence 2. The first digital channel failure 
is detected by self-test (95 percent of time) and the 
second digital channel failure is not detected by self- 
test (5 percent of time) . For this sequence it is 
assumed that the analog backup cannot be switched on. 

In this case, a system failure occurs after the secohd 
digital channel failure. 

o Failure Sequence 3. The first digital channel failure 
is detected by self-test (95 percent of time) and the 
second digital channel is also detected by self- test. 

For this sequence, it is assumed that the analog backup 
will be switched on, and the analog backup must fail 
(two analog channel failures) for a total system failure 
(complete loss of system function) . 

The probability of total system failure can be approximated 
by the summation of the probabilities of failure sequences 1 
through 3. Hence, the probability of loss of the total system 
function is approximately : 
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failure sequence 1 


failxire sequence 2 


P (total system) = 


'V — - 

(2) (.05;^Dt) OX^t) (2AAt) (2) (O.gSXpt) (.OSXot) 
31 2l 


31 

^ failure s equence 3 


V- ^ — 

(2) (0.95Xj3t) (O.gSXjjt) (3x^t) (2x^t) 

4l 

P (total system) = (2 x 10“^^ to 2 x 10“^^) + (5 x 10“® to 5 x 10~^^) 

+ (2 X 10“^^ to 2 X 10“^^ = 5 X 10“® to 5 X 10"^° 


7) Three digital channels, comparison monitoring with a triple- 
channel analog backup: For this configuration it is assumed that 

two digital channels must fail for a mission abort. The failure 
status of the analog backup system has no influence on an abort 
decision. 


P(abort) = ^ 2 2 

21 D 

where t = 1 hr and = 10”^ to 10”^ so that 
P (abort) = 3 X 10“® to 3 x 10“^ 

For total system failure it is assigned that two digital channels 
must first fail and then two of the three analog backup channels 
must fail. 


P (total 
where : 

P (total 


failure) = 

t = 1 hr, X 
4.5 X 10"'^ 
failure) = 


{3x^t) (2Xi3t) (3x^t) (2x^t) 


41 

jj = 10”^ to 10”^, and Xj^ = 

(0.75) X^ X ^ 

D A 


= 1.5 X 10"13 10-15 


38 



8) Two digital channels ^ dual-channel analog backup, and 
comparison monitoring; The probability of total system failure 
results differ if the analog backup system configurations are 
dual channel instead of triple channel. 

2X„t 2X,t 

P (total failure) = — — 

21 


where; Xq = 10 ^ to 10 
X^ = 4.5 X lO"*^ 
t = 1 hr 

Or, P (total failure) = 

(2)(1)(4.5 X 10“'^) (10“^ to 10"^) = 9.0 x lO""^ to 9,0 x 10”® 

instead of 4.0 x 10"^® to 4.0 x 10“^^ with a triple- 
channel analog backup. 


9) Two digital channels, comparison monitoring + 95 percent 
self-test, with a dual-channel analog backup: In this case (dual 

analog backup) , the probability of total system failure can be 
approximated by: 


P (total failure) = 


(2) (0.05) (Xot) (2xAt) 

21 


(2) (0.95) (A^t) (0,05) (x^t) (2) (0 . 95x ^t) (0 ,95Xj^t) (2X^t) 

+ _ + 

= (4,5 X 10”'^) (1) (0,1) (10“3 to 10”^) + (1) (0.0475) (10”® to 10"®) 

+ (6) (10"^® to 10"^^) = 9.3 X 10"® to 5 X lO"® 

— fi — 1 0 

Instead of 5 x 10 to 5 x 10 for the triple-analog backup 
channel . 
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The resultant ranges of abort probabilities and total sys- 
tem failure probabilities calculated for the nine different con- 
figurations is plotted in Figure 10= The primary conclusion that 
may be drawn from this figure is that at least a three-digital 
channel system with either self-test or a backup system is re- 
quired for mission reliability and flight safety. 

The previous calculations involve the sensor and computation 
portions of hypothetical configurations, but do not include the 
actuator portions. Typically, flight control systems may be 
divided into three functional sections consisting of sensors, 
computation, and actuation each having approximately the same 
failure rate. Consequently, a complete system may be projected 
to have a failure probability larger than the above calculated 
values by a ratio of 3; 2. 


MAINTAINABILITY 


Maintainability can be considered as the probability that 
the system will be operable when called upon to perform a mission. 

The maintenance concept recommended here is based upon 
Honeywell's understanding of the maintenance systems that will 
be available for the F-8C aircraft combined with those main- 
tainability characteristics that can be inherently designed into 
the F-8C DFBW system. Based on these aspects this recommended 
maintenance concept will provide maximum equipment availability 
with minimum repair facilities. The recommended maintenance con- 
cept for the recommended repair levels is discussed below. 


Flight Line 

Corrective maintenance at this level is aimed at curing any 
F-8C system faults and restoring the aircraft back into service 
as quickly as possible. Maintenance consists of flight- line 
system-level troubleshooting to faulty line replaceable units 
(LRUs), replacement of these faulty LRUs, and system checkout to 
assure that the systems have been returned to an operational 
status. Activities at this level include on-aircraft line check 
and on-aircraft maintenance. 
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Figure 10. System Reliabilities 
(Per Hour) 














On-aircraft line check - (verification of failures). - This 
activity involves? 

o Line check, without external ATE or pilot assist, 
will be provided by BIT. 

o The line check, accomplished only with built-in- 
test, will detect 90-95 percent of all failures, 

o Based on past Honeywell experience it is judged 
that this task can be accomplished in less than 
1 minute (excluding access time) . 

On- aircraft maintenance . - This activity involves: 

o The system BIT will be used to localize failures 
to a specific LRU. 

o When fault localization is accomplished with BIT 
alone, the task can be accomplished within 2 
minutes . 

o Only a single crew member will be required to 
perform this BIT fault localization function. 

o If this initial BIT testing has not isolated 
the fault, additional testing will be required 
(a limited degree of exercising controls and 
reading aircraft indicators will be required) . 

o When additional testing over BIT is required 

to isolate a failure to specific line-replacable 
unit (LRU) an additional 3,0 minutes over BIT 
fault localization will be required. 

o Excluding the sensors and actuators, the BIT 
using the same single repair crew member will 
localize 95 percent of the remaining system 
failures to the LRU level. 

o Once the system failure has been localized to 
^ a particular LRU, actual system repair is ac- 

complished by replacing the suspected faulty 
LRU with one that is known to be within test 
specification. 


42 



o All LRUs should be designed with alignment 

features and quick disconnect, where possible, 
to be removable with common hand tools . 

o Each system LRU of a particular type will be 
directly interchangeable with other LRUs of 
the same type. 

o Once access has been gained to a faulty LRU, 
it has been typically found that the faulty 
equipment can be removed and replaced within 
10 min of elapsed time by a single crew meiriber 
(except for actuators) . 

o System BIT will also be utilized to verify fault 
correction after system repair has been completed. 

o Components of the type planned for the F-8C 

DFBW system do not require preventive maintenance 
(except for actuators) . 

The mean corrective maintenance time goal estimated to re- 
store a faulty system (excluding actuators) in the aircraft is; 

1.0 minute for verification 

3.0 minutes for fault isolation (worst case) 

10.0 minutes for LRU replacement 

2.0 minutes for BIT checkout 

16.0 minutes total mean corrective maintenance time 
(MTTR) excluding actuators. 


Hangar Level 

All LRUs that are removed from the system at the flight line 
level are delivered to the hangar level. Generally, repair of the 
system at this level is limited to LRU troubleshooting and re- 
placement of cards or modules. 

Using manual test equipment and spare cards/modules the 
fault in the LRU will be isolated to the specific card or module 
causing the LRU fault. The defective card or module will then 
be replaced and the LRU checked out. This approach will minimize 
LRU down time. Based on Honeywell experience, it is judged 
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that the average time to perform this task will be less than I.C 
hour. eiif eludes satisors and actuators. 


The BIT may be used in conj unctioin with the manual test 
equipment to verify fault correction after LRO repair has been 
completed. Faulty plug-in cards will be sent to the shop level 
for repair. Faulty gyros ^ accelerometers, and stick transducer 
assemblies will be returned to the shop for possible repair or 
further processing, and then sent to the sub-unit vendor for 
repair or replacement. Special teat equipment at the hangar 
level may include rate fixturing for the gyro liips, a dividing 
head for accelerometer LRUs and force fi^turea for the stick 
transducer LRU. This equipment may he limited to the shop, there- 
by requiring these LRUs to he shipped directly tc the ahop for 
maintenance actions. 


Shop Level 

Repair at this level should be restricted to that which re- 
quires skill, tools, or peculiar ground euppo-rt equipment not 
normally nor economically placed in the hangar* This includes 
repair of plug-in cards and &ub-units, and possible fault iso- 
lation of rate gyro, accelerometer, and stick force transducer 
LKD & « 


Eepaii: of A Honeywell-m&nuEactured p-lug-^in circuit card nor-’ 
mally can be accoraplished within 1.5 hours. Central processor 
unit <CPU) or meriory cards generally require 2.25 hours whereas 
a faulty gyro may require 16 hours of repair. 

Repair of the CPU or memory card Is not nonnally recoinmended 
at the shop level because of the special equipiaent and tech- 
niques required for failure isolation. Similarly , repair of 
inertial devioea (gyros and accelerometers) and the stick trans- 
ducer assembly is not re commended at the shop* These sub-units 
should be returned to the vendor for repair or replacement* This 
is especially true for a one-aircraft system such as the F-EC* 
This approach will influence the number of spare asseinJblies re- 
quired for the field maintenance level* ^flith this reconmended 
maintenance concept for the shop repair level, an H.TTR O'f 2.5 
hours has been experienced for similar types of aircraft equip- 
ment on other Honeywell programs. 
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SAFETY COWPEIANCE 


The candidate configurations fomaulated in this study oiust 
coinply with the safety requi remen ta o£ FAR^25 (the airworthines 
standards: Transport category aitplanesl f and in particular 

paragraphs 25,1309 and 25,132$ {amendraent 2S-23 of May S| 1971) 
A discussion of the specific regulrenbents and the manner of 
showing complianoe folLcws in Tables IV and V. 

TABLE rv. 2 5.1309 - EQUIPMEHT? SYSTEMS APID IHSTAImTATIONS 


FAa-35 

f^mnnjtfTtB 

D.^ TliB cqulpiT.Eni, J7itcb]n*, aod UuU.Lld!tUu 
wfaDiic fuiKtliaaSDj! ki required Ity ttila «ulii. 
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TABLE IV. 25.1309 - EQUIPMENT SYSTEMS AND INSTALLATIONS 

(CONCLUDED) 


FAR-25 requirement 

Comments 

e) Each installation whose functioning is re- 
quired by this subchapter, and that requires 
a power supply, is an "essential load" on 
the power supply. The power sources and 
the system must be able to supply the fol- 
lowing power loads in probable operating 
combinations and for probable durations: 

1) Loads connected to the system with 
the system functioning normally. 

2) Essential loads, after failure of any 
one prime mover, power converter, 
or energy storage device. 

3) Essential loads after failure of: 

i ) Any one engine on two-or-three 
engine airplanes, and 

ii) Any two engines on four or more 
engine airplanes. 

4) Essential loads for which an alternate 
source of power is required by this 
chapter, after any failure or mal- 
function in any one power supply sys- 
tem, distribution system, or other 
utilization system. 

The aircraft electrical system provides four 
isolated d-c buses. The hydraulic system pro- 
vides two isolated sources which are each able 
to supply full pressure and adequate flow 
capability. 

Not applicable, as this is a single-engine 
aircraft. ' 

f) In determining compliance with subpara- 
graphs (e) (2) and (3) of this subsection, the 
power loads may be reduced under a mon- 
itoring procedure consistent with safety in 
the kinds of operation authorized. Loads 
not required in controlled flight need not be 
considered for the two-engine inoperative 
condition on airplanes with four or more 
engines. 

Electrical power for fly-by-wire controls 
requires higher quality dependability than now 
currently available from the nominal MIL-STD- 
704 which permits spikes and interruptions not 
tolerable for precision control'. Thus, the 
electrical supply must undergo processing, 
filtering, and regulation within the power sup- 
plies of the flight control system. Considerable 
ingenuity is required to provide sufficient in- 
dependent and isolated power sources for a quad- 
redundant electrical flight control system on a 
single-engine aircraft. Electrical busses must 
be maintained independently to avoid single - 
failure points. Batteries for backup electrical 
power sources can weigh sizable amounts and 
require additional maintenance support to ensure 
safe operating conditions. 

g) In showing compliance with paragraphs 
(a) and (b) of this subsection with regard 
to the electrical system and equipment 
design and installation, critical environ- 
mental conditions must be considered. For 
electrical generation, distribution, and 
utilization equipment required by or used in 
complying with this chapter, except equip- 
ment covered by Technical Standard Orders 
containing environmental test procedures, 
the ability to provide continuous safe ser- 
vice under foreseeable environmental 
conditions may be shown by environmental 
tests, design analysis, or reference to 
previous comparable service experience on 
other aircraft. 

The critical environmental conditions defined 
in this subsection are similar to the environ- 
mental requirements of a number of Honeywell 
operating digital systems including the air data 
computer system and the performance and 
assessment monitor (PAFAM) used in the Douglas 
DC-10. 
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TABLE V, 25.1329 - AUTOMATIC PILOT SYSTEM 


FAR-25 requirement | Comment 


a) Each automatic pilot system must be de- 
signed so that the automatic pilot can be 
quickly and positively disengaged by the pilots 
to prevent it from interfering with their con- 
trol of the airplane. 

Inasmuch as this is a fly-by-wire system, 
disengagement is not an applicable alternative, 
disengagement of auxiliary modes will be as 
specified. 

b) Unless there is automatic synchronization, 
each system must have a means to readily 
indicate to the pilot the alignment of the 
actuating device in relation to the control 
system it operates. 

Automatic synchronization and/or equalization 
shall be provided by all candidate configura- 
tions. 

c) Each manually operated control for the system 
must be readily accessible to the pilots. 

All manual controls shall be readily accessible. 

d) Quick release (emergency) controls must be 
on both control wheels, on the side of each 
wheel opposite the throttles. 

Not applicable. 

e) Attitude controls must- operate in the plane 
and sense of motion specified in 25. 777 (b) 
and 25. 779 (a) for cockpit controls. The 
direction of motion must be plainly indicated 
on, or adjacent to, each control. 

All controls shall operate in accordance with 
the common conventions as specified. 

f ) The system must be designed and adjusted so 
that, within the range of adjustment available 
to the human pilot, it cannot produce hazard- 
ous loads on the airplane, or create hazard- 
ous deviations in the flight path under any 
condition of flight appropriate to its use, 
either during normal operation, or in the 
event of a malfunction, assuming that cor- 
rective action begins within a reasonable 
period of time. 

Normal operation will not produce hazardous 
conditions. In case of failure, the combination 
of comparison monitoring and redundant channel 
self tests will detect hazardous conditions and 
trigger appropriate corrective action. Fail 
safety is improved using techniques described 
elsewhere in this section. 

g) If the automatic pilot integrates signals from 
auxiliary controls or furnishes signals for 
operation of other equipment, there must 
be positive interlocks and sequencing of 
engagement to prevent improper operation. 
Protection against adverse interaction of 
integrated components resulting from a 
malfunction, is also required. 

The digital configurations easily provide this 
sort of sequencing. The flexibility inherent in 
this control method also pprmits relatively 
simple modification of the sequencing by pro- 
gram changes. 


















NATURAL HAZARDS 


Lightning Strike Information 

Aircraft are struck quite frequently by natural lightning 
discharges. The average is one strike per 2,500 hours for the 
commercial airlines fleet with damage severe enough to require 
repair according to information provided by the Lightning and 
Transients Research Institute, Minneapolis, MN. Most of the 
work of the Lightning and Transients Research Institute is con- 
cerned with research on lightning phenomena and related tran- 
sients, and in particular, aircraft lightning protection and 
related radio interference reduction. In the period 1946 - 1969 
L & T has prepared about 500 reports which deal with this area 
of research. 

In the pre-jet era where little attention was paid to 
lightning protection, total electrical-electronic systems fail- 
ures were occasionally reported, but with modern jet aircraft, an 
extensive amount of lightning protection is done on the aircraft 
and to date, no complete electrical system failures have occurred 
from lightning. Recent informal information indicates that the 
new larger aircraft such as the Boeing 747 and Douglas DC- 10 are 
more susceptible to lightning strikes than smaller aircraft. No 
quantitative data in this regard has been published, however. 

Electrical system problems due to lightning strikes on 
fighter aircraft have been reported over the years and are fair- 
ly well documented with evidence of a wide range of problems 
ranging from complete electrical system failure to minor damage 
to various electrical-electronic circuits. 

Lightning strikes of aircraft in flight were recorded in 
29 instances in a 10-year period covered by the data supplied 
from the Naval Safety Center (ref. 19). Damage ranged from minor 
to loss of one aircraft. Figure 11 shows the lightning strike 
rate on a year-by-year basis, with the average rate of lightning 
. 5 

strxkes being 0.716 strike per 10 flight hours with a peak of 

two strikes per 10^ hours in 1967. Four lightning strikes re- 
sulted in electrical system damage in the aircraft, and one of 
these four aircraft was lost because of total electrical power 
failure. 

Some of the characteristics of natural lightning discharges 
to aircraft are described in Table VI. 
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Figure 11. Lightning Strike Rate (Based on F4, 
F8, A5, A6, and A7 Aircraft) * 


TABLE VI. - CHARACTERISTICS OF NATURAL LIGHTNING 
DISCHARGES TO AIRCRAFT 


Power 

Probable 

average 

Evidenced 

maximum 

Current - amperes 

30 000 

300 000 

Rate of current rise 
- amps/p sec 

20 000 

200 000 

Charge transfer 
- coulombs 

100 

1,000 

Voltage - megavolts 

100 

500 


1970 ^ 










A typical lightning strike has been defined in a military 
specification as requiring equivalent components of 100,000- 
amperes crest 5 X 10 ysec waveshape, followed by an intermediate 
25 coulomb 5000-ampere crest pulse of 10 millisecond duration of 
one second. Recent evidence has indicated strokes of much great- 
er magnitude and consequently much higher energy. Artificial test 
discharges are being written into new specifications and used in 
tests on new aircraft components where safety of flight is 
involved. 


Lightning Protection 


One of the major concerns of operating an aircraft with a 
fly-by-wire control system is a catastrophic loss of all elec- 
trical power. Even loss of power for a short period of time can 
result in losing control of the aircraft. One of the causes of 
electrical failure is lightning discharge through the aircraft, 
and the advent of all-weather aircraft operation has increased 
the possibility of such lightning strikes. As noted earlier, 
the probability of a lightning strike is in the area of 0.7 to 

40 per 10^ flight hours. Electrical system problems resulting 
from lightning discharge have varied from generators being trip- 
ped off the line and intermittent warning light operation to 
minor damage to various electrical and electronic circuits. The 
use of more sensitive solid state electronic components and 
higher-speed logic circuits will increase the potential hazard 
from lightning effects which produce electromagnetic pulses in 
control circuitry. It has been demonstrated in recent years that 
for specific vehicles, fairly complete lightning protection can 
be provided. Because of the test capabilities which have been 
developed for lightning studies, much has been learned about the 
discharge phenomena through aircraft and the structural design 
techniques needed to provide protection for delicate equipment. 

Lightning and Transient Research Institute of Minneapolis 
has done extensive study on this subject. Their general conclu- 
sions as to the extent of damage to be expected from lightning 
strikes is that the physical location of the electrical and elec- 
tronic boxes and the electrical wiring will be the determining 
factor. The risk can be minimized by proper location of compo- 
nents and wiring, and if necessary, actual tests can be conducted 
to verify the lack of susceptibility to lightning damage. 
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It must be made clear that protection of electronic equip- 
nent cannot be divorced from the problem of the installation in 
the aircraft, since the coupling mechanisms are determined large- 
ly by the geometry of the installation. Component location within 
individual boxes must also be considered. As to pulse duration, 
the microsecond transients will be the primary problem to be con- 
sidered in the protection system design. 

The basic steps to be followed in providing lightning protec- 
tion of electronic systems are : 

o Pulse-coupling paths into the vehicle interior 
must be determined. 

o Susceptibility of electronics must be measured. 

o Surge protection must be developed for problem 
areas . 

The solution to the lightning strike problem involves start- 
ing with the basic design of the aircraft to be the most effec- 
tive. This point was also emphasized by work reported on in 
ref. 20 and 21. 


SKEWED SENSOR ARRAYS 


Conventional flight control, attitude reference, and inertial 
systems have normally used orthogonal triads of gyros and accel- 
erometers to obtain three-axis rate, attitude and/or acceleration 
information. Redundant systems have been mechanized simply by 
duplicating the triads as necessary. Skewed sensor arrays offer 
the following advantages when used in redundant systems (ref. 22) : 

o Minimum number of individual sensors 

o Minimiim interconnecting wiring 

o Pentad provides single failure isolation - 
single fail operative capability (equivalent 
to triple channel orthogonal arrays) 

o Hexad provides dual failure isolation - 
dual fail operative capability (equivalent 
to quadruple channel) 

o Accuracy improvement through averaging 
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Skewed sensor configurations are based on two assumptions — 
that sensed information (angular displacement or acceleration) is 
equally important from all directions and that sensor accuracy is 
acceleration- or gravity- independent. Under these assumptions, 
it can be shown that sensors whose sensitive input axes are placed 
normal to the faces of regular polyhedra, which divide the three 
dimensional space into equal regions, comprise optimum systems. 


Reliability 

The skewed redxmdant strapped-down array is an efficient 
means for increasing reliability. The desired reliability level 
dictates the number of sensors which must be used in a system. 

The dual (or triple) redundancy of a five- (or six-) sensor array 
may be necessary to achieve the prescribed reliability level. 
Since the effective redundancy of dual or triple-orthogonal sets 
may be achieved with pentad or hexad arrays which require fewer 
sensors, the overall system reliability is improved by the elimi- 
nation of the failure rate due to the deleted sensors. 


Fault Detection and Isolation 

At least three-noncoplanar sensors are necessary to provide 
full three-axis information in three-dimensional space. Addition 
of a fourth sensor, not aligned with any of the other three, to 
complete a tetrad, provides fault-detection capability. This con- 
figuration, however, is insufficient to provide fault isolation; 
that is, a fault can be detected by noting a disagreement among 
the outputs of the sensors, but the failed sensor cannot be iden- 
tified. 

The addition of a fifth sensor completes a pentad, no three 
sensors of which are coplanar. The five sensors in a pentad can 
be combined three at a time to fom 10 "voting triads”, which can 
provide positive fault isolation as well as detection, by using a 
voting technique among the 10 triads. That is, assuming failure 
of a single sensor, the four triads not involving the faulty sen- 
sor will continue to show agreement, while the other six which 
involve the faulty sensor will not. The same technique can be 
used to detect but not isolate a second sensor failure. 

The addition of a sixth sensor can provide two levels of 
fault-isolation capability, if desired. Although not required 
for fault isolation of a single failure, the addition of a sixth 
sensor to form a hexad provides greater accuracy and more reliable 
single-fault isolation capability since, in effect, the outputs 
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from 20 voting triads are compared and averaged in the parity and 
processing equations. These computational techniques also permit 
the detection and isolation of the second sensor failure in the 
hexad configuration . A third sensor failure will be detected but 
cannot be identified. 


Accuracy 

Expected system accuracy is statistical in nature and im- 
proves with the number of sensors employed. The relative improve- 
ment per added sensor diminishes as the number of sensors increases . 
The greatest reduction in mean variance, 25 percent, is realized 
in going from a triad to a tetrad. Adding a fifth and sixth sen- 
sor results in a further reduction in mean variance by 15 percent 
and 10 percent, respectively. 

When performing an accuracy analysis, consideration must be 
given to the mean variance of the remaining arrays after one (or 
more) sensors have been removed from the various optimum arrays. 

In establishing system configurations, consideration must also 
be given to the relative computational difficulty in processing 
the sensor data of the various truncated arrangements as well as 
the original arrays. 

System variance or mean variance is detemined by integrating 
and averaging the variance over the entire 3-D space. For sensors 

with zero means and with equal variances (a^) , the mean variance 
2 

( 0 _) of an optimally oriented n-sensor array can be shown to be 
2^ 2 /n 

= 3^ . Minimum- variance arrays may be developed to provide 

optimum systems which are particularly compatible with certain 
sensors . 

The skewed sensor array provides signals which are cross- 
coupled between axes, and furthermore, cannot be identified with 
a particular redundant channel. Input of the sensor signals to 
the computational elements may be accomplished by a number of 
different methods; however, a common method of using the array 
data is by analog cross feed of all sensor signals to the inputs 
of all redundant channels. Variations in the analog-to-digital 
conversion are reduced by transforming the data to the correct 
coordinate system and then performing an averaging or median 
selection process. 
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The flexibility of a skewed sensor array is somewhat limited 
when compared with redundant orthogonal sensor sets - due to the 
fact that the skewed sensor array uses identical sensors in all 
positions. Thus, the range of the sensors must be established by 
the axis requiring the greatest variation. As a consequence, null 
offset may be an appreciable portion of the useable range in some 
cases (for those axes which do not experience the full range of 
rate or acceleration) . 

As indicated in ref. 23, the sensor range need not corres- 
pond exactly to the maximiam range of the axes , but is dependent 
upon the particular sensor orientation chosen. The results of 
ref. 23 show that when constrained to one maximxim rate capability 
sensor, the skewed cone configuration with a central half angle 
of 77“ is superior, in terms of total vehicle axes error amplifi- 
cation, to the dodecahedron and octahedron configurations. In 
other words, the cone configuration allows a single gyro, with 
relatively low maximum rate capability, to be used in an environ- 
ment when the maximum rate about one axis (roll) is considerably 
greater than that about the other two axes (pitch and yaw) . For 
example an orthogonal system requiring 300 “/sec roll rate sensors 
and 60 “/sec pitch and yaw rate sensors can be compared with an 
octahedron using 212 “/sec sensors, a dodecahedron using 256 “/sec 
sensors or a 77“ cone configuration using 110“/sec sensors. 

Another limitation of the skewed sensor array is the location 
of all sensors at a single point. The capability to distribute 
sensors to various locations in the aircraft may be- very desira- 
ble in research of new flight control techniques. 


DIGITAL TECHNIQUES 


Signal Transmission 

The computer in a digital flight control system processes 
digital signals and issues digital commands. The signals are 
a measure of activity within the analog world. The commands, in 
turn, require some response in the analog world. The digital 
controller operates upon an alien environment. At some point in 
the process, a sensor information conversion from analog to digi- 
tal data is required; likewise, a conversion from digital commands 
back to analog responses is required. 


54 



The point of the foregoing is that, at present, the DFCS 
has to interface with an all-analog world. This discussion will 
be concerned with means of bringing in and putting out analog 
signals to and from the computer. There are basically two ways 
that this can be handled: 

1) Each analog signal can have a dedicated, hardwired 
transmission line connecting the sensor or servo to 
the computer unit. This is called direct dedicated 
signal transmission. 

2) Analog signals can be grouped or assembled at one or 
more remote locations and then sent to the processor 
along a common bus. This method is called multiplexed 
transmission. 

Direct dedicated signal transmission . - The most straight- 
forward way of interfacing the computer to the flight control 
subsystems is through direct dedicated wires to the sensors and 
actuators . 

The direct dedicated transmission subsystem has been applied 
to many system designs. The more significant advantages of direct 
dedicated signal transmission are: 

o Simple centralized control mechanisms 

o Well understood technology 

o Minimal A/D and D/A parts 

o Minimal system hardware cost 

Control of the I/O wires is centralized in the CPU. Since 
the lines are dedicated in a master (CPU) to slave (sensor) re- 
lationship the I/O program in the CPU will always have access 
to the data at the sensor. Thus there is no need for a complex 
control program or hardware controller as will be seen in the 
multiplex case. 

The wiring for the simplex case is minimal, straightforward, 
and totally isolated since it is only point-to-point dedicated 
wires . 

The direct-dedicated signal transmission approach has the 
following potential disadvantages: 


■ivr- 
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o Greater weight and space requirements 

o Complex redundancy implementation with no 
reconfiguration capability 

o Low utilization of wiring 

o Nonmodular/low flexibility 

o Noise problems 

o System synchronization and intercommunication 
problems 

Perhaps the foremost problem is the large wire bundles that 
result. In this type of system, every copy of every signal is 
connected to each channel of the redundant autopilot. A quad- 
ruplex system, for example, would, as a base, require a quantity 
of wires equal to four times the combined number of signal sources 
and servos. In addition to these, a number of supporting wires 
such as fault announcing, detection logic interconnects, etc., 
must be added. Thus, most of the advantages of simplicity are 
lost as redundancy is increased. The inherent isolation of the 
point-to-point wiring and centralized control exclude much capa- 
bility for system reconfiguration as a result of a single failure. 

Another drawback in use of hardwiring in redundant systems 
is the number of multiple connectors required. Increased cost, 
increased space, and decreased reliability are the result of 
additional connectors, which collectively have a significant 
impact. 

An additional disadvantage is the relatively low utilization 
of wiring (i.e., bus bandwidth). This means that even though the 
wire is the most reliable part of the I/O system, it must be 
duplicated many times, 

A fourth significant disadvantage is the non-modularity 
and non- flexibility of the I/O subsystem. It is difficult to 
adapt the configuration to a change in sensor complement or level 
of redundancy without appreciable redesign. Each additional or 
different device may require new point-to-point wiring and a new 
interface design. Additionally, these analog intercommunications 
suffer from noise problems which are significantly reduced in 
digital transmission. It should be noted that noise (EMI) prob- 
lems contaminate each channel and thus, are difficult to protect 
against, even in a triplex system with voting. 
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Synchronization and interprocessor communications cannot be 
accomplished by direct I/O. Consequently, where direct dedicated 
I/O is used, another multiplexed interface must also be provided 
for the synchronization and intercom functions. 

In conclusion, the direct-dedicated I/O approach is a well 
\inderstood, straightforward method for implementation of non- 
redundant systems but it increases exponentially in complexity 
as the level of redundancy increases. 

Multiplexed signal transmission . - The multiplex bus con- 
figuration has an effective increase in efficiency due to the 
following advantages of digital transmission of input and output 
data, 

o High noise immunity 

o Simple data distribution to multiple destinations 

o Increased bus bandwidth utilization (higher data 
flow rate per wire) 

The high noise immunity reduces transient errors caused by 
noisy signals. This can significantly reduce the nuisance dis- 
engage type of problems. 

Digital addressing allows the same data values to be trans- 
mitted to all processors simultaneously. A substantial increase 
in bandwidth utilization permits many more sensors to share the 
same data distribution system and allows maximum modularity and 
flexibility in the software I/O area. 

In using multiplexing technology there are many decisions 
the system designer must make that are not issues in direct 
signal transmission systems. The following subsections discuss 
some of the numerous options available to the designer of multi- 
plexed configurations. 

Frequency division multiplexing (FDM) : In FDM systems, 

each signal to be processed is assigned a carrier frequency. 

This frequency is then modulated about its nominal or center 
value as a function of the amplitude of the analog signal being 
processed. This is often handled with a voltage-controlled 
oscillator (VCO) , The accuracy of this sort of an arrangement 
is highly dependent upon the linearity of the VCO and the accuracy 
of its nominal frequency. 
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Each analog signal will have its own VCO with its own unique 
center frequency. There must be enough spread in the center fre- 
quencies to avoid all possibility of overlap. The outputs of 
these VCOs are combined in a mixer and ported onto a single trans- 
mission line. Band separation filters are used at the other end 
to recover the various carrier frequencies . Each carrier is then 
detected by some suitable means to extract the analog signal 
content . 

Time division multiplexing (TDM) : In TDM systems, each ana- 

log signal is assigned to a time slot and is transmitted as 
sampled data. A bus control device is then used to assign the 
bus to each of the analog signals during its time slot. No two 
analog signals will ever have access to the bus simultaneously, 
which is in sharp contrast to FDM, where all signals are trans- 
mitted simultaneously and continuously. 

In TDM systems, one of the first decisions to be made is the 
type of modulation to be used. Some of the more common options 
are: 

1) Amplitude modulation, where the analog signal, modu- 
lated on a carrier, is simply connected to the trans- 
mission bus during that signal's time slot. 

2) Pulse width modulation (PWM) , where the analog signal 
is "digitized" by encoding its value into the width or 
duration of a pulse of constant amplitude. When that 
particular signal's time slot comes up, a pulse of the 
correct "width" will be transmitted along the bus. 

3) Pulse code modulation (PCM) , where each analog signal 
is converted to a digital word of a suitable nvimber of 
bits. When the appropriate time slot comes along, the 
digital coded word will be transmitted as a train of 
uniform pulses with some rule to distinguish "ones" 
from "zeroes". Manchester encoding is one example of 
a specific implementation of PCM with special encoding 
for error detection. 

Another decision to be made is the choice of bus aliocation 
or commutation strategy. There are basically two types: 

1) Sequentially, where time slots are assigned according 
to some fixed, periodic algorithm. 

2) Demand, where time slots are assigned on a demand or 
request basis. Some master device must create this 
demand . 
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In the first case, all signals will be ported onto the bus 
and transmitted irrespective of whether they are required by the 
FCS for the mode presently being controlled. In the latter case, 
the PCS will limit its requests to the required signals only. 

Another decision to be made is the method of data identifi- 
cation. If sequential bus assignment is chosen, there are 
basically two methods of identification that can be used: 

1) Time-slot, where the receiver computes the same bus 
allocation algorithm as the sender. Signals are 
identified by their time slot assignments. 

2) Coded, where each different signal has its own unique 
identifying label that is transmitted along with the 
data in the form of a header word. 

If demand bus assignment is chosen, the data identification 
is restricted to the coded type since there is no algorithm to be 
duplicated. 

The type of transmission method - parallel or serial - must 
also be selected. In the parallel case, all bits that make up 
a multiplexed word are assigned their own individual transmis- 
sion line and are transmitted simultaneously. However, the 
analog signals would still be sampled and transmitted according 
to their time slots. 

In the serial case, all of the bits that make up a multi- 
plexed word are transmitted consecutively on the same transmis- 
sion line. In other words, the bits that go to make up a multi- 
plexed word are assigned bit-time-slots within the word time 
slots corresponding to each of the various analog signals. This 
is accomplished by a parallel-to-serial converter. The receiver 
at the other end must perform the inverse operation to reconstruct 
the multiplexed word from the individual bits. This is accomp- 
lished by a serial-to-parallel converter (i.e., a parallel load- 
able shift register) . 

It is obvious that the serial method requires considerably 
fewer wires. This savings must be paid for by adding the para- 
llel-to-serial and serial-to-parallel converters and the corres- 
ponding reduction in the amount of data that can be transmitted 
within the same time period. 
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Global versus dedicated buses; A major tradeoff considera- 
tion still remains ; should the multiplex bus be global or dedi- 
cated, Global? as the name suggests? means it covers the entire 
mi verse of data signals or? in this case, all the airplane 
signals. Dedicated means its use will be restricted to some 
subset of the spectriam of signals of the I/O devices. 

Flight control systems are not the only ones that stand to 
benefit from multiplexed configurations. For example, other 
systems that could profit are the navigation system, the flight 
director system, etc. If all of these systems are combined into 
a common multiplex bus with all units accessible by all other 
units, a global bus would result. If, on the other hand, items 
peculiar to the navigation system are the only ones that are on 
a particular bus, then it would be called a dedicated bus. The 
decision as to which is best, global or dedicated, is beyond the 
scope of this effort. However, some factors that would impact 
that decision are outlined below. 

Dedicated buses can be operated either sequentially or on a 
demand basis. Global buses usually have a special device which 
acts as a master traffic controller. The traffic controller would, 
no doubt, operate in some sequential fashion but would require 
the other devices to essentially respond on demand. This allows 
for a maximxam reconfiguration and data crossfeeding to improve 
reliability. 

Global buses are more prone to time saturation than are 
dedicated buses, A given bus design has a certain channel capa- 
city or the ability to handle a certain number of transactions 
in the available time. Global buses have more transactions to 
handle than dedicated buses. Furthemnore , the larger number of 
variables require longer labels to provide unique identification. 
For example, eight variables require three bits while 16 variables 
require four bits. Global buses not only have more, but also 
longer header words to handle than do dedicated buses. 

Global buses have more terminals or ports, hence, more 
opportunity for line jamming or other catastrophic failures. If 
the navigation system had its own dedicated bus, it would not 
be possible for a failure in the navigation system to propagate 
into the flight control system. The same level of assurance 
would be more difficult to obtain in a global configuration. 

Each bus, whether it is global or dedicated, requires a traf- 
fic controller. The total amount of electronics would be less if 
a global bus were used than it would be if the global structure 
were partitioned into several dedicated structures . 
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Shuttle time division multiplex (TDM) bus . - The Space 
Shuttle TDM bus implementation, and several other implementations 
such as the F15 MUX and Air Force ASD Standard MUX were considered 
appropriate for data bus development. The Shuttle type was 
selected. 

o To better prove the Shuttle technology and 
redundancy management scheme 

o To utilize hardware developed for Space Shuttle 
program without a high cost development program 

Salient features; The salient features of this MUX imple- 
mentation are : 

1) Message Transmission 

o Half duplex, 1 MHz serial 

o Asynchronous terminal operation 

o 5 y sec response time 

o Bit parity 

o Distributed message verification 
o 28-bit words (16 bits of data) 

2) Protocol 

o Command word followed by up to 32 data words 

o 32 MDMs possible 

o Message override 

o No terminal-to-terminal transmissions 

3) Control 

o Central control by single CPU; all other 
■ devices are slaves 

o Any CPU is capable of controlling any bus 
o Allocation is static; reallocation (recon- 
figuration) requires consensus of all pro- 
cessors 

4) Signal Techniques 

o Manchester biphase 

o Special data and control sync signals 
o Parity — 1 bit per word 

o Transformer coupled 

Figure 12 illustrates the relationship between the major 
components of a multiplex data bus. For the purposes of this re- 
port, the following Space Shuttle terminology and abbreviations 
will be used inasmuch as the bus arrangement described is 
essentially that being developed for the Shuttle : 
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Figure 12. Relationship Between Components 
of a Multiplex Data Bus 


o 

MDM 

- Multiplex de-multiplexer 

o 

MIA 

- Multiplex interface adapter 

o 

TDM 

- Time division multiplexing 

o 

FDM 

- Frequency division multiplexing 

o 

BCU 

- Bus control unit 

o 

SSIB 

- Subsystem interface board 

o 

MUX 

- Multiplexed 


The MDM is the Shuttle standard bus interface module which 
connects flight control devices to two independent MUX buses . 

An MDM is composed of two independent microprogrammed controllers 
which provide dual-redxindant paths to a primary and backup bus . 
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The major functional blocks of an MDM are illustrated in Figure 
13. A subsystem interface board interfaces each redundant chan- 
nel sensor set to a dual-redundant D/A or A/D converter. The 
multiple interface adapter (MIA) provides the interface with the 
data bus. This complete assembly constitutes an MDM channel. 
Either the primary or backup channel can access the sensors, 
thus facilitating fault isolation and full recovery to triplex 
operation if a bus or MDM channel fails. For example, proces- 
sor 2 can still read redundant sensor set 1 data and redundant 
sensor set 2, while processor 3 reads redundant sensor set 3 
data, thus allowing full triplex operation by sharing data with 
processor 1. Simplex or duplex sensors will be connected to all 
three MDMs, allowing each processor to access that input. 

The MIA provides the signal conditioning for transmitting 
and receiving Manchester-coded data on the bus. The control and 
timing block provides data buffering, address recognition, and 
cominand execution sequencing. The SSIB is a circuit that inter- 
faces the signals from the sensor or to the actuator by dual 
paths through the MDM as shown in the inset of Figure 12 . 

The ECU provides an interface between the processor and all 
redundant buses. Each processor is capable of controlling any 
bus and responds to requests on all buses. A simplified block 
diagram of the BCU is shown in Figure 14 . The processors are 
connected to the bus with three independent MIAs which allow the 
computer to control any one bus, and respond to the other two. 
Under program control, each processor can decide which bus it 
will control, which is the method used by Shuttle. 

I/O signal flow sequences This subsection describes the 
actions and data transformations required for inputting FCS sen- 
sor data into the computer and outputting data to the flight con- 
trol system (FCS) actuators. 

Path A of Figure 15 illustrates the data flow for input. 

Under control of the executive schedule, the processor determines 
it is time to read sensor X. The processor executes an input 
routine which determines the correct MDM address and SSIB address 
and command sequence to be executed by the MDM in order to read, 
digitize, and transmit the sensor data. This information from 
the command buffer is used by the BCU, under processor control, 
to transmit a message on the bus directing MDMX to read, digitize, 
and transmit data. The BCU reads, the command buffer converts 
from parallel to serial and encodes the bit stream before sending 
it on the bus. All MDMs listen to the header transmitter on the 
bus; only one will find a match to its address and receive the 
command data. 
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The MDM interprets the request from the processor bys 
o Addressing the correct SSIB 

o Commanding the analog MUX to connect the SSIB 
to the A/D 

o Commanding the A/D conversion 
o Buffering the digitized value » 

(Any transmission on the bus would normally involve multiple 
readings of several sensors,) 

The MDM would then fonnat a, message which would be seri- 
alized and Manchester encoded and transmitted on the bus. During 
the digitizing period, the processor would have set up the BCU 
to read in the ensuing message by decoding and serial-to-parallel 
converting the bit stream and storing the data in the input buf- 
fer , 


Path B of Figure 15 illustrates the simplified signal flow 
for output. After the processor has completed computation and 
voting, the correct data value is stored in the output buffer. 

The processor then executes a routine to determine the correct 
command and header address to route the output data through the 
correct MDM to the right subsystem. Under control of the proces- 
sor, the BCU moves the information from the command buffer and 
the Output buffer to the BCU buffer. Under control of the pro- 
cessor, the BCU converts it into a Manchester serial bit stream 
which is sent out on the bus. 

All MDMs receive the header word and check for their own 
address. If there is a match/ the MDM copies the following com- 
mand and data into its buffer. The MDM then executes the com- 
manded operation, in this case: 

o Addresses the correct SSIB 

o Interconnects the SSIB and the D/A converter 

o Commands the analog conversion of the data which is 
conditioned by the SSIB and sent to the intended 
subsystem 

(Usually, several words of data are processed sequentially for 
each message to enhance bus utilization.) 
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At each step in this process, error checking is being done 
in parallel (i.e,, parity checking). A normal sensor read, com- 
pute and actuator output cycle would require three message trans- 
missions across the bus plus three messages for voting the output 
data. 


Computer- to-Computer I/O Alternatives 

When considering computer- to- computer data transmission, 
there are many options open to the designer. This subsection dis- 
cusses some of the important problems and alternatives which must 
be considered in implementing cross feed between computers in a 
flight control system. 

The first choice is between multiplex signal transmission 
and direct signal transmission architectures. For multiplexed 
systems, computer crossfeed is handled directly by allowing each 
computer to interface with the data bus and respond to commands 
on the bus. Thus, for multiplexed systems, crossfeed between 
computers comes inherently in the system concept. The only addi- 
tional cost is for the needed interface to a global bus which is 
tied to all other computers. 

The direct signal transmission architecture does not support 
computer crossfeed. One alternative is to implement some simple 
form of multiplex data bus between the computers with other inter- 
faces being direct. The solution is costly because it involves 
mixed technology. Figure 16 illustrates this type of architecture. 
This solution pays the penalties for the disadvantages of both 
technologies . 

The other alternative is to provide direct interfaces 
from each computer to every other computer. These interfaces 
are different from the normal direct I/O s\±>system interfaces 
because they connect two intelligent master devices rather than 
a master and a slave device. Thus, a more complex interface 
with some kind of synchronization interlock is required. Such 
an interface is generally termed a Channel-to-Channel Adapter 
(CCA) , 

Figure 17 describes the major functional blocks in a Channel- 
to-Channel Adapter, The key features ares 

o Address and data buffers to allow asynchronous 
communication 

o Synchronizing interlock to ensure only one master 
at a time 
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Figure 16 . Mixed Technology Architecture 


Figure 18 shows how a triplex configuration would be inter- 
connected to allow complete crossfeed of data with a single 
redundant communication channel. 

One additional problem must be considered: the redundancy- 

reliability of the interconnection scheme. Since the channel- 
to-channel adapter is not a trivial interface, an FCS system must 
provide recovery from a failure in the computer cross feed system. 
This means costly duplication of channel-to-channel adapters for 
the direct signal transmission architecture. But the multiplex 
system has inherent redundancy which accomodates multiple inter- 
faces. Redundant intercommunication in the multiplexed bus can 
be accomplished by the simple addition of standard interface 
modules . 
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COMPUTER B INTERRUPT B 

Figure 17. Simplified CCA Block Diagram 



(DEPENDING ON BANDWIDTH REQUIREMENTS 
AND PHYSICAL DISTRIBUTION) 

CCA DENOTES CHANNEL TO CHANNEL ADAPTER 


Figure 18 . Multi-Channel Control 














Computer to Data Bus Interface Alternatives 

When considering direct-dedicated I/O, the computer inter- 
face problem is not significant, since a single interface box 
is slave to the computer. The problem degenerates to consider- 
ation of CPU loading and hardware cost. But with data bused I/O 
there is a distributed I/O system which incurs overhead for both 
control of shared resources and for addressing general-purpose 
modular interfaces. Additionally, a new type of electrical inter- 
face is introduced; a biphase Manchester transformer- coup led bus. 
As a result, the tradeoffs are not as clear-cut. The following 
subsections discuss the critical tradeoffs in implementing the 
CPU to data bus interface , 

There are three possible alternatives to implementing the 
computer- to-MUX bus interface assembly; 

o Direct CPU to bus interface with software support 

o Separate I/O processor hardware and software 

o A compromise hybrid of the two other choices 

The first choice would be the least costly, simplest solution 
The second alternative was the choice for the Shuttle program, 
which maximized flexibility, performance and reliability. The 
third was selected as the best compromise for the DAIS program. 

In evaluating the candidate alternatives, consider the follow 
ing aspects ; 

o Special interface functions 
o Bus data rates and overheads 
o Loading on CPU 
o Functional complexity 
o Simultaneous activities requirements 
o Response time requirements 
o Hardware cost and development time 
o Software and memory costs 
o Flexibility and reliability 
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with a MUX bus as defined in a previous subsection, the 
protocol and function of the CPU interface is fixed. 

The most important special functions performed in the bus 
interface ares 

o Parallel-serial conversion 
o Binary NRZ to biphase Manchester encoding 
o Compare address on the bus to the device address 
o Generate and check parity 
o Interpret command function 
o Buffer transmission 

o Control bus? i,e,, send initiate commands, format 
messages 

o Address the correct MDM 
o Check for errors 

Any viable candidate must provide these basic special func- 
tions, The following subsection discusses the tradeoffs for the 
three interface alternatives. 

Direct CPU to bus interface . - For data-bused systems, di- 
rect CPU-to-bus connections are not possible with the APlOl 
because: 

o The APlOl I/O interface cannot provide all the 
special functions required to interface with the 
bus , 

o The electrical interface of the APlOl is not com- 
patible with the electrical interface on the bus. 

o The quantity of the support software and memory 
required would be large . 

o The response time of the CPU would not be fast 
enough to allow it to execute anything but bus 
control functions . 

o Simultaneous bus activity would be very difficult 
to handle in the support software. 


71 



Thus, the direct CPU-to-bus connection with support in soft™ 
ware is deemed not a viable alternative. 

Separate I/O processor . - The Shuttle design has incorporated 
a separate input/output processor (lOP) as the CPU-to-bus inter- 
face. In that system, there are five processors and 26 buses. 

The CPU loading factors dictate the need for a separate lOP 
although the hardware cost is high. In the F-8C program, there 
are size, power, weight, cost, problems which make this alter- 
native infeasible. Specifically, the major considerations include 

o Physical space limitations will not allow three 
lOPs to be installed 

o Hardware cost and delivery schedule for an lOP 
are incompatible with the F-8C FEW goals 

o The F-8C interface requirement is less compli- 
cated than for Shuttle thus making the execution 
overhead and functional complexity of the lOP 
implementation unnecessary 

o The F-8C data rates, response time requirements, 

CPU loading, and functional requirements do not 
warrant the lOP complexity and resultant decrease 
in reliability. 

Hybrid Compromise . - As a result of studying the F8 FEW re- 
quirements it is clear that neither of the two previous alterna- 
tives are viable. A compromise design has been worked out that 
has the following characteristics; 

o Utilizes the standard MIA assembly to provide the 
special functions while minimizing development 
costs 

o Provides a simple hardware buffer to allow 

synchronous bus and CPU execution while simpli- 
fying CPU software and allow simultaneous 
activities on all three buses 

o Provides minimal control and interface logic 
to allow the CPU to control the MIAs with a 
minimum of software overhead and memory 
locations . 

Flight control functions requiring I/O at 40 to 100 times 
per second will be well within the data transfer rate of the DMA 
channel, thus minimizing CPU loading. 
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Summary . - The interface between the CPU and the bus has 
many important aspects which must be considered in selecting one 
of the implementation alternatives. The CPU cannot be directly 
connected to the bus and then supported with software only. 

The lOP implementation is not feasible for the F-8 system 
as a result of size, weight, and cost considerations. A compro- 
mise design of much reduced hardware complexity supported by soft- 
ware provides a better solution without loss of flexibility and 
commonality with Shuttle performance. Thus, the bus control unit, 
shown in Figure 14 and used as shown in Figures 12 and 15, was 
chosen for implementation of the simulated Shuttle data bus con- 
figurations . 


Redundant Channel Synchronization 

General . - Synchronization of redundant digital computer 
channels may be separated into two categories, micro sync and 
macro sync. In micro synchronization, the clocks used by the in- 
dividual computers are synchronized. Thus precise synchronization 
is obtained. In macro synchronization, the redundant computers 
are "forced" into synchronism at discrete instances in time, e.g., 
at the beginning of each computation interface. However, since 
the redundant clocks run independently, synchronism is not main- 
tained during the interval. 

Synchronization requirements . - The essential requirement 
regarding synchronization of redundant digital systems is that 
computer operations be sufficiently well synchronized to permit 
data exchange of fresh information. Such exchange is used for 
exchange of sensor inputs for crossfeed, selection, and/or 
monitoring by each of the channels. Data exchange is also used 
for crossfeed of computer internal and output parameters for 
monitoring or other purposes. Since such data exchange operations 
can be implemented to be tolerant of slight skew between channels, 
precise synchronization is not required. However, a gross level 
of synchronization is required. The macro sync defined earlier is 
consistent with this requirement. 

Micro synchronization . - In micro synchronization, clocks 
are forced to be synchronous by one of several methods. 

Provided that the computers are initially started simulta- 
neously and that no failures (transient or peinnanent) occur, the 
redundant channels operate in complete synchronism. Computer 
states (e.g., A register, program counter, etc.) will be identical 
and bit for bit comparisons may be performed at any time. Note 
that due to slight skew introduced by circuits in different clock 
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paths y very slight skew will exist at clock edges? hence states 
will not be identical for a short interval ( ±300 nano seconds) 

surrounding clock edges. However, this slight skew poses no 
problem in implementing channel comparison techniques. To assure 
that the computers start simultaneously and to permit recovery 
from transients affecting a single channel, macro synchronization 
is also required. 

Several methods exist for obtaining micro synchronization, 
as follows ; 

1) Common clock - This method uses a single clock for all 
channels. Since the clock is not redundant, this 
method yields a fairly large single-point failure prob- 
ability and is not acceptable. 

2) Synchronized clocks - Redundant clocks with crossfed 
synchronization signals are used in this method. 

Slower clocks are "forced" into synchronism with the 
fastest clock thereby providing micro synchronization. 
Each channel must include monitoring of the crossfed 
synchronization signals as well as of its own clock. 

3) Crossfed clocks - In this method, the clock in each 
channel is crossfed to other channels. Each channel 
automatically selects one of the three clock signals . 
Since the selection criterion is identical in the 
three channels, one of the clocks is selected by all 
of the channels providing synchronism. An in-line 
fail-safe monitor is required in each channel for this 
method. 

Macro synchronization . - Two methods have been considered 
for obtaining macro synchronization, namely; 

1) Halt release - In this method each channel waits 
for other channels before proceeding with the next 
computation interval. On completion of its compu- 
tational task, each computer enters the HALT state, 
awaiting release for the next iteration. Each chan- 
nel includes a real-time counter to develop the HALT 
RELEASE which enables the computer to proceed to the 
next iteration. To provide macro synchronization, 
each channel waits until all channels are ready before 
releasing its own computer. Thus synchronization at 
the beginning of each computation iteration is ob- 
tained. 
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While waiting for a slower channel, each channel 
continues to count. If the wait is excessive, as 
determined by a majority of the three channels, the 
two good channels are released in synchronism. 

Monitoring of the relative synchronism of the three 
channels is accomplished by software. 

2) Real-time counter adjustment - In this method, each 
channel reads the real-time counter values of the 
other channels as well as its own and generates a 
"count value" to be loaded into its real-time counter 
for the next iteration. In this manner, each chan- 
nel adjusts its count interval to coincide with other 
channels at the beginning of each iteration to obtain 
synchronism. Monitoring is readily accomplished in 
software by examining the relative real-time count 
values . 

Conclusions . - Of the synchronization techniques considered, 
the HALT RELEASE macro sync technique appears to meet the require 
ments with the least cost and risk potential. Micro synchroniza- 
tion, with its attendant increased hardware, potential for single 
point failures, and dependence on a fail-safe in-line monitor, 
imposes penalties which obviate its utilization. The real-time 
counter adjustment form of macro synchronization provides poorer 
synchronization performance. For example, if one clock drifts 
somewhat within its allowable specification band, the real-time 
counter "count value" adjustment occurs in the subsequent itera- 
tion and is intended to provide start point synchronization for 
the iteration after that. Thus, effective synchronization per- 
formance limits are larger than for the HALT RELEASE method. 


RECONFIGURABLE COMPUTER STUDY 


A specific task of this study was to review and utilize 
where possible the results of the NASA-sponsored Reconfigurable 
Computer System (RCS) Study in evaluating the redundant computer 
configurations for the F-8C Fly-By-Wire System. Due to the 
schedules of the two studies, only an interim report on the RCS 
study was available for use in the F-8C study. 

The scope of the reconfigurable computer study was broad in 
nature and aimed primarily at the development of new analytical 
techniques. Thus, tasks such as the qualitative specification 
of fault tolerance"' and analytic modeling are theoretically rather 
than practically oriented. The results available, although 
interesting, are not yet useful in an implementation tradeoff 
study . 
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The interira repcurt on the ECS study discussed several inter “ 
e sting techniques for improving system reliability^ but which could 
not be quantitatively factored into the tradeoff study at this 
time. Examples are the roll-bach and roll-ahead techniques to 
compensate for transient faults. These techniques may very well 
have application to future redundant DFBW systems, but the iiuple- 
mentation of the techniques will have to be more fully defined 
before a useful evaluation can be made* 

One important aspect is connected with the purpose of the 
techniques per se, which is to handle transient failures. The 
significance of techniques for transient failure ccanpenEation de- 
pends, of course, on the prevalence of transient failurea. There 
have been few attempts to obtain quantitative data on the frequency 
of occurrence of transient failures. Usually the approach has been 
to correct the design of the device in question so ^at the trans^ 
lent failures stop appearing* Indeed r while it may be apparent 
that transient failures are occurring, it is often difficult to 
pin point the exact time or location of the failure. Similarly, 

It might be difficult to select appropriate points for detecting 
or correcting transient failures if these failures are so ephem- 
eral that it has not been possible to “design them out" of the 
equipment. 

With these points in mind, it is suggested that the analyti- 
cs work On traneleut failure detection and compensation should be 
acccmpaitied by experimental work to quantify the prevalence of 
transient failures and the environmente which cause them. 


ACTUATOR COHSIDERATlOdS 


The surface and secondary actuators of the NASA F-9C flight 
research vehicle were reviewed in regard to their use in the con- 
tinuing F-8C DFBW program* The review indicated three aspects 
that should be considered in detail* These were 1) modifications 
needed to adapt the Phase I secendary actuators for use in tha 
Phase II program j 2} modifications that would be required to simu- 
late the Shuttle actuation eye ten, and S) meane far providing 
backup control systems* These aepecte are covered in the follow- 
ing pages* 


F-Sc Phase I Actuation System 

The F-8C has five separate flight control surfaces as ehown 
in Figure 5. Each surface is driven by a dual -redundant power 
actuator. In order to convert this aircraft to use a fly-by-wire 
control system, the mechanical control syatein was disconnected 
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froin tile input of -the power actuator and, secondary actuators were 
inntailed to position the power actuator. 

Figure 19 is a simplified diagram of the existing (Phase 1) 
F-aC secondary actuator* This actuator has a total of five 
electrohydjraulio servovalves j two of which are presently used for 
dual^'Clianneljr compariaod-monitored conmands froio the digital coat- 
puter(B)k In Phase I the single-digital computer supplied dual 
outputs; in Phase lia the dual^digital computera would each have 
driven one valve. The remaining three are used In a three“Channel 
analog backup control system (BCB) * All channels are provided 
with engage valves for isolating and bypassing purposes, as well 
as differential pressure sensors for interehannel laonitoring in 
the BCS node ^ 
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Figure 19. Existing F-8C Secondary Actuators 
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Analysis of HASA F-8C Actuators 

Actuator performance limitations . ~ F-8C servo actuator 
response requirements were defined in "Digital CCV Flight Control 
Laws" studies conducted at Honeywell under contract NASl-12680, 

A summary of this investigation is included in Appendix A. The 
requirements specified therein are essentially in agreement with 
those defined (as stated in an unpublished Sperry report) . 

The qualitative performance of the NASA F-8C servo actuators 
was fully observed and well docximented during the Phase I Digital 
Fly-By-Wire Flight Test Program at NASA-FRC. The marginal-to- 
inadequate performance of both the primary and backup control 
systems in some flight regimes was recognized and detemined to 
be due to servo nonlinearities (as stated in an unpublished 
Sperry report). In addition, a niamber of possible contributory 
effects were identified as follows: 

1) The 0.05-sec filter in front of the actuator loop, 
inserted to get rid of the "digital staircase" 

2) Inadequate positional gain of the backup actuator loop 

3) Excessive friction in the triple-tandem actuator 

4) Inadequate force gain in the backup actuator loop 

5) Surface actuator loop gain too low 

6) Excessive hysteresis in the surface actuator valve 

7) Horizontal stabilizer power actuators flow limit. 

The lack of complete quantitative information defining the 
servo actuator characteristics and performance indicated the 
necessity of performing a relatively detailed analysis of the 
existing actuator servo loops . The results of this analysis are 
presented in the following paragraphs. 

Actuator servo loop analysis . - In Phase I the secondary 
actuators were operated with the gains indicated in Figure 20. 
Note that for a given piston area, valve pressure gain and re- 
lated electrical ("dry loop") gain, a specific stiffness (colvimn 
"0") can be calculated. 

For one backup channel, the stiffness is that shown (397 
Ib/deg) (180 KG/deg ) , and for two channels, it would be twice 
that, etc. The results can be plotted as shown in Figure 21. 
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ROLL 
AXIS 
i (AILERON) I 


1.305 44.3 375.8 .029 5.27 57,42 


8,523 30.4 4.64 22,68 280.3 12.33 


Figure 20. F-8C Secondary Actuator Loop Gains 





















































































































































This shows that the force gain of two backup channels is twice 
that of one, and that the force ^ain of the primary channel is 
almost that of three backup channels. 

Secondary actuator hysteresis . - Time history recordings of 
secondary actuator behavior were made by NASA-FRC after completion 
of the Phase I flight test program, and were supplied as part of 
the data input to the current study. Careful study of these re- 
cordings has shown that a very significant amount of hysteresis 
exists in the secondary actuators. Table VII lists these measured 
values. 


TABLE VII. - SECONDARY ACTUATOR HYSTERESIS, 
DEGREES, PEAK-TO-PEAK 


Channel Actuator 



Left 

Right 

Pitch primary 

0.3 

0.5 

Backup channel 2 

0.8 

0.5 

Backup channel 3 

0.7 

0.65 

Backup channel 4 

0.45 

0.6 

Backup channel 2,3&4 

0.2 

0.2 

Roll primary 

0.1 

0.2 

Roll backup 2 

0.95 

1.0 

Roll backup 3 

1.0 

1.2 

Roll backup 4 

1.0 

1.25 

Roll backup 2,3&4 

0.4 

0.45 


This data, using the constants from Figure 20 and the plot- 
ting method of Figure 21, but substituting peak-to-peak equiva- 
lent control surface hysteresis for the abscissa instead of sur- 
face deflection, was used to indicate the static friction range 
of the pitch actuators shown in Figure 22. 

Note that equivalent single -channel (backup) friction falls 
in a range of 90 to 160 lb (40.4 to 72,7 KG) and that this "brackets" 
the three-channel data points shown. In order to relate these num- 
bers to the primary system, a maximum/minimum range of friction 
for that system must be plotted. The upper line "primary channel 
without hysteresis," is obtained by use of the numbers from Figure 
20. The lower line, "primary channel with valve hysteresis," shows 
what the equivalent friction would be if valve hysteresis were 
at the maximxam specified (0.52 ma) . Naturally, the real amount 
will fall somewhere in between. 
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Figure 21. F-8C Pitch Axis Actuator Force Gain 


3 BACKUP SYSTEMS 



Figure 22. F-8C Pitch Axis Static Friction Range 
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136.4 


90.9 


45.45 


From this it appears that static friction for the pitch axis 
is in the 80 - 150 lb (36.4 to 68.2 KG) range — probably nearer 
the lower value when backup valve hysteresis is included. A value 
of 3 percent was assumed to be typical for valves of this type, 
although the pecification did not include any definite value . 

a 

The same techniques were used to plot the static friction 
characteristics of the roll axis and the results appear in 
Figure 23. 



HYSTERESIS, DEGREES 


Figure 23. F-8C Roll Axis Static Friction Range 


Note that there is little correlation between the backup 
channels and the primary channel; while calculated static friction 
levels range from 130 to 190 lb (59.1 to 86.4 KG) for the backup, 
those calculated for primary channel forces are only between zero 
and 60 lb (27.3 KG). There are several possibilities for this 
discrepancy : 
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1) The loop gain on the primary channel is actually much 
higher than given in Figure 20, But this woul4 re~ 
quire loop gains in the vicinity of 200 rad — and 
with that amount of ga in the actuator would probably 
be unstable. 

2) The backup channel gains are actually lower than 
those stated in Figure 20. If the error were 2:1, 
this would bring the friction force down into the 

65 to 85 lb (29.5 to 38.6 KG) range which seems more 
likely, and loop gains would actually be 115 rad, 
which is possible. 

3) The self-monitoring electrohydraulic valve (EHV) 
used on the primary channel has a pressure gain 
approximately 3x the minimum stated in the spec. 

This would put the equivalent friction of the 
primary system in the zero to 180 lb (81.8 KG) 
range - another distinct possibility. 

Of these possibilities, alternative 3) seems most likely 
and the load line for this case is included in Figure 23 for ref 
erence. In any case, the recordings have shown that there is 
clearly a significant amount of static friction in the secondary 
actuator system, and that it is the major contributor to the 
actuator hysteresis problem. 

Surface (power) actuators . - Study of the surface actuator 
performance disclosed that, while marginal, they could be used 
as is — assuming that the secondary actuators are significantly 
improved . 


Recommendations for Secondary Actuator Improvement 

Various modifications which might decrease the hysteresis 
and generally improve dynamic performance were considered. 

Reduction of friction . - Reduction of friction in the triple- 
tandem actuator is one obvious way to improve the hysteresis 
characteristic. This may be partially accomplished by refinishing 
seal surfaces, etc. However, it appears more likely that most of 
the friction is due to slight misalignment of the three cylinder 
sections and consequently highly accurate alignment in assembly 
would be required to reduce friction from this source. Analysis 
of the existing pitch axis secondary actuator shows that static 
friction must be reduced to approximately 9 lb (4.09 KG) in order 
to meet the performance objectives. The extreme improvement re- 
quired (reduction from 150 lb (68.2 KG) to 9 lb (4.09 KG)), makes 
it apparent that reduction of friction can only be a partial solu- 
tion and must be used in conjunction with other changes. 
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Force gain increase . ~ In considering this approach the 
triple-backup valve- actuator combination is used as a basis be- 
cause there exists the convenient possibility of interchanging 
the primary and backup valves when converting from the Phase Ila 
design (2X digital and 3X analog backup) to the Phase Ilb design 
(3X digital and 2X backup) . 

The force gain# per se, might be increased by boring out 
the cylinder and increasing piston diameter or perhaps by reducing 
the rod diameter. Obviously the increase in piston area would be 
accompanied by a similar increase in cylinder swept volume# thus 
causing a decrease in piston velocity, assuming the same valve 
and flow rate is retained. It might be permissible to increase 
force gain (and decrease velocity) by 20 to 25 percent, but this 
would not nearly solve the problem. If force gain were the only 
parameter involved it would require that the piston area be in- 
creased from the current 0.189 (1.219 cm^) square inch to approxi- 
mately 1.25 square inches (8.06 cm^) (ass\aming a worst-case fric- 
tion level of 200 lb (90.9 KG), to achieve less than 0.1" hystere- 
sis . 


Beside being mechanically impractical to accomplish, such an 
increase in area would require that other system parameters be 
drastically changed. This, and other alternatives involving the 
use of the original valves, is presented in detail in Appendix B. 

Basically, the problem is that the generous mistrack toler- 
ances of the Phase I arrangement requires low force gains and thus 
cannot achieve low hysteresis in the presence of high static fric- 
tion, Inasmuch as it does not seem feasible to reduce the basic 
friction of the actuator the solution must be a system in which 
the required high force gain can be employed without causing prob- 
lems with mistrack tolerances. 

Using actuator hysteresis as a basic design requirement, 
acceptable characteristics for improved valves to be used in the 
present secondary actuator loops have been calculated (details 
are presented in Appendix C) , The recommended valve parameters 
for the roll axis are included in the bottom line of Figure 24, 
which enables comparison with the present servoactuator coitponents . 

Triple-tandem actuator equalization . - The previous subsection 
indicates that the existing servovalves (at least) must be^ replaced 
if acceptable secondary actuator performance is to be achieved. If 
new servovalves are employed, the always-present problem of channel 
mistrack in the force-s;ammed triple-tandem secondary actuator must 
be solved. 

Use of the present AP transducers to drive "equalizers" as 
shown in Figure 25 is one solution . 
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Figure 24. F-8C Secondary Actuator Loop Gains 








Figure 25. AP Equalizer and Monitor 


In this system, the differential pressure transducer pro- 
duces a signal which is proportional to the difference between 
that channel and the average of all three channels — plus a por 
tion of the static load on the actuator. If this signal were tin 
tegrated and summed into the servo amplifier as a "trim" or 
"equalizer" signal, then the mistrack could (theoretically) be 
eliminated. Unfortunately, there are several disadvantages to 
this system when applied to the real world; 

1) Because the average of all channels contains a 
portion of any specific channel under analysis, 
closing the feedback loop via the equalizer inte- 
grator results in a low-frequency instability. 

2) The static friction loads are not symmetrical; i.e., 
the "extend" load may be greater than the "retract" 

(or vice versa) and consequently, the equalizers 

on all three channels will be "pumped" up — causing 
an ever-increasing offset in the entire axis and 
eventual catastrophy. 
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3) The basic redundancy management concept is that of 
"majority vote," consequently only one failure can 
be identified, and "dual fail op" performance is 
impossible. 

Obviously, the first two disadvantages make this solution un- 
acceptable, but there are some variations which can circumvent 
these problems. An alternate arrangement, shown in Figure 26, 
eliminates the instability problem by using other than "averaging" 
logic . 



Figure 26. Mid-Value Selected Equalizer 


Note that in this system, the difference between the AP 
sensor and the middle value of all AP sensors is used to generate 
an integrated equalizer signal. While this eliminates the sta- 
bility problem, it has other deficiencies I 

1) The inter-channel connections necessary for mid- 
value selection reduce the reliability of each 
individual channel. 
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2) Asymmetrical static loads still tend to generate 
continuously increasing offsets in the equalizers, 
especially if mistracks are well distributed 
throughout the position range. 

3) The monitoring capabilities of this type of system 
are still (normally) limited to "single fail op” — 
while operation after two failures is desirable. 

However, if "dual-fail-op" is not a firm requirement then 
another "fail-op-fail-safe" approach, that of the solution in 
Figure 27, may be applicable. 



Figure 27. Mid-Value Selected Pressure Feedback 
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While this system is similar to that shown in Figure 26, 
it uses no integrators in the pressure feedback loop. Instead, 
a very high negative gain is used (possibly with some shaping) 
to cause the pressure gain of any channel that is not the median 
channel to be severely decreased, and thereby cause that channel 
to "track” the median channel and share its load. Failures are 
easily detected by monitoring the differential pressure levels, 
as in the present actuator. 

This concept appears to have only two deficiencies and they 
are not critical: 

1) The median- select logic requires a large amount 
of inter-channel wiring. 

2) Only fail-op, fail-safe performance can be achieved. 

Where dual-fail-op performance is desired, the solution 
shown in Figure 28 is suggested. 

This configuration is a variation of "active -standby" in 
which all channels are continuously operating; one channel 
designated "active" carries the entire output load with whatever 
force gain is necessary, and the others assigned "on-line" status 
merely "follow the leader." 

This is accomplished by making the active channel a high- 
force gain servo and the on-line channels very low force-gain 
channels by using large amounts of negative pressure feedback on 
the latter. 

"In-line" monitoring permits each channel to be monitored 
individually with a minimum of channel interconnects and at the 
same time provide "dual fail op" characteristics. Because all 
channels are always engaged and monitored, switching transients 
normally associated with active/standby systems are eliminated. 
While detection and correction of the first failure is non-time- 
critical, the second failure requires rapid action of the dis- 
engage system if "biamps" are to be minimized; however, large 
transients are impossible even then because the failed channel is 
still opposed by a good one. 
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Feasibility of Simulation of Shuttle Actuation System 

Schematics of the secondary and surface actuators for both 
the F-8C DFBW airplane and the Shuttle Orbiter are shown in Fig- 
ures 29 and 30 . In both cases a redundant secondary actuator 
drives the valve (s) controlling the surface actuator, but the 
feedback arrangements are markedly different. In the F-8C the 
secondary actuator has electrical position feedback, and thus 
functions as a position servo, i.e., the output position is pro- 
portional to the input signal to the servo amplifier. The sur- 
face actuator also has position feedback, in the form of a 
mechanical linkage, which causes the valve to close as the actu- 
ator reaches the commanded position, so that the deflection of 
the surface is proportional to the output displacement of the 
secondary actuator. Thus, the surface position is proportional 
to the input signal to the servo amplifier, but each actuator 
operates within its own independent feedback loop. 

In the Shuttle arrangement the secondary actuator again has 
position feedback (in this case through a spring applying force 
to the first stage flapper) , but the surface actuator does not 
have any feedback directly to its valve. Instead, the output 
position is sensed electrically and the signal is fed back to the 
input of the secondary actuator servo amplifier. The output of 
the Shuttle Secondary actuator commands velocity of the surface 
actuator rather than position as in the F-8C. The overall result 
is the same in both designs, (i.e., an electrical signal into the 
servo amplifier commands a position output of the surface actuator) , 
but the internal dynamics are somewhat different. Also, the man- 
ner in which in-line failure monitors can be implemented is dif- 
ferent. These differences will not be critical to the reliability 
results of this study, assiiming each actuator arrangement is suc- 
cessfully developed, because there should be little difference in 
the component failure rates of the two configurations. 

It is true, however, that the Shuttle design is unproven and 
there could be problems in the final development that ijiight be 
investigated in the F-8C program if the Shuttle actuators could 
be duplicated or simulated in the F-8C. Accordingly, a brief 
design study of the feasibility of simulating, to any useful de- 
gree, the Shuttle actuators by modifying the F-8C arrangement was 
made. Factors such as modifications required to F-8C secondary 
and surface actuators, possibility of using F-8C EHVs and possible 
dynamic problems were considered. Details of the study are pre- 
sented in Appendix D. The rather definite conclusion is that 
making the F-8C actuators even functionally similar to the Shuttle 
actuators would be difficult, expensive, and time consuming. To 
make the installation sufficiently similar that detail hardware 
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Figure 29. F-8C Aileron Actuation Schematic 
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problems might be uncovered would seem to be economically ^ and 
almost technically^ infeasible. Therefore, there appears to be 
no reason to pursue this question further. 


Backup Control Systems 

Phase lib of the DFBW program was originally intended to use 
a control system having sufficient reliability such that no back- 
up system was required. NASA-FRC, however, considered this 
approach with a new system to be unwise and requested that an in- 
dependent backup system be retained. 

Five backup system concepts, consistent with the use of the 
existing secondary actuator bodies, have been defined. 

These suggested backup systems reflect a "fixed gain" mini- 
mvim complexity concept with no schedules or mode switching capa- 
bility. Sensor inputs are obtained at the output of the demodu- 
lators, and isolated from the multiplex switch input to the digi- 
tal system. Upon digital computer failure, the control is switched 
from the computer output to the analog output through a fade-in 
circuit to minimize the switching transient. Logic for the 
switching is provided by the computer voting process . 

Single-channel backup concept . - As its name implies, this 
concept provides only a single channel of analog circuitry and 
single input to each surface secondary actuator. A simple diagram 
of the concept is shown in Figure 31. Engagement of this backup 
control system would be automatically initiated by a hydraulic 
logic input to the engage valve in the event of failure of two of 
the three primary channels. It is assumed that the Phase Ila back- 
up electronics could be utilized in implementing this concept with 
only minor modifications. Although Figure 31 does not show feed- 
back sensors, etc., augmentation could be included as required. 

A new electrohydraulic valve is required to achieve the desired 
performance . 

The simplicity of the mechanization (the number of compo- 
nents is minimized) assures highest reliability. Enhancement of 
the overall system operational reliability may also be provided 
by either performing pre flight checkout through comparison with 
the digital primary control configuration or by continuous in- 
flight monitoring with one of the primary digital computers. The 
pre flight checkout concept appears to be most attractive for this 
application because it is the least complex (and costly) , and it 
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Figure 31. Single-Channel Backup Concept 



maintains the in-flight isolation between primary and backup con- 
trol systems. Use of one of the primary digital computers to pro- 
vide inflight monitoring could result in failure propagation from 
primary to backup channel or loss of backup system failure detec- 
tion due to a primary channel failure. 

Dual-channel comparison-monitored backup concept . - Figure 
32 illustrates the dual-channel comparison-monitored backup con- 
trol system. This configuration is based upon implementation of 
two identical analog channels which may be accurately monitored 
with a simple analog comparison to detect failures . One of the 
channels supplies control signals to the active backup servo valve, 
while the other channel drives a dummy servo valve which is ob- 
served by the hydraulic monitoring logic. The failure rate for 
this configuration is twice that of the single-channel system, but 
a single failure will still cause complete loss of function. How- 
ever, the dual-channel arrangement does allow continuous moni- 
toring for determination of backup system status and it provides 
complete isolation from the primary digital control system. 

Phase Ila backup electronics may again be used to implement 
this concept with only minor modifications. Augmentation may be 
implemented without affecting the basic concept, if identical 
shaping is incorporated in both channels . Replacement of the 
existing servo valves with new servo valves is assumed to provide 
adequate control performance. 

Dual-channel manually switched backup control system . - The 
dual-channel manually switched backup control system shown in 
Figure 33 is essentially the same as the dual-channel comparison- 
monitored configuration described just previously, except it in- 
cludes the capability to use either computational channel as the 
active control signal source. This is accomplished by incorpora- 
ting a manually operated two-position switch at the output of the 
servo amps so that the output of either channel may be fed to the 
active servo valve. 

When the manual switch is in the normal position, the system 
will operate in the same manner as the dual-channel comparison- 
monitored configuration. In the event of a failure in ei'toer 
backup channel, this condition will be indicated to the pilot. 

The subsequent pilot action will then be dependent upon the air- 
craft response clues he observes. If he determines the failure 
is in the active channel, he operates the switch and then con- 
trols through the monitor channel. Thus, this configuration gains 
some improvement in operational reliability with only a nominal 
system change. 
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Figure 33. Dual-Channel Manually Switched Backup Control System 
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Triple-channel backup configuration . - The triple -channel 
analog backup configuration shown in Figure 34 is strictly a com- 
putational channel backup and does not provide alternate servo 
actuator paths. Inputs to the triple- channel servo amplifier are 
switched between the primary and backup control systems by elec- 
tronic switching in accordance with failure monitoring logic. 

Since the backup system is not fully isolated from the primary 
digital control system, the possibility of common failure modes 
and/or propagation of failure exists. The design of the electron- 
ic switching circuitry, in particular, must be carefully evaluated 
with respect to failure modes. 

The triple-channel Phase Ila backup electronics can be con- 
verted to this configuration with minimum modifications. Triple- 
channel augmentation can be accomodated with this concept. 

This configuration uses only three improved electrohydraulic 
servo valves instead of the five valves used with the current 
secondary actuator concept. The triple -redundant analog actuator 
electronics will include analog in-line monitoring capability to 
provide dual failure operation. 

Fluidic backup concept . - This xinique fluidic backup control 
concept is illustrated in Figure 35 . It is a simple application 
of some of the fluidic flight control techniques which have been 
developed at Honeywell. The configuration provides complete 
isolation from the primary digital flight control. In addition, 
no electrical power is needed, which further reduces common fail- 
ure modes. 

The single- channel direct-hydraulic link configuration shown 
provides a highly reliable unaugmented backup. In the event aug- 
mentation is required, fluidic shaping devices and fluidic ampli- 
fiers consistent with the concept may be added. 


98 



TRIPLEX D/A CONVERTER 



OUTPUT TO 
SURFACE 
ACTUATOR 


VO 

V£> 


Figure 34. Triple-Channel Backup Concept 
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Figure 35. Fluidic Backup Concept 



SECTION 6 


CONFIGURATION DEFINITION 
AND ANALYSIS 


BASIC CONFIGURATIONS CONSIDERED 


Fly-by-wire experience within the aerospace industry has 
established general redundancy requirements using current and 
near-future system components at the three and four-channel 
level. The preliminary reliability - redundancy study 
described in Section 5 also indicated that fewer channels are 
clearly inadequate and more channels are unnecessary to meet 
usual reliability objectives. Hence, the candidate configura- 
tions to be compared herein were defined early in the study to 
include either three or four channels. These levels and appro- 
priate crossfeeding were subsequently verified by a reliability/ 
redundancy analysis described later in this section. Figure 36 
shows the basic configurations chosen for further definition 
and study as likely candidate configurations. In addition to 
the reliability and cost factors, these choices were influenced 
by indications from NASA-LaRC and NASA-FRC concerning the objec- 
tives of future flight test programs. 


Research Vehicle Minimum Configuration 

As its name denotes , this configuration was intended to be 
the least complex, most easily implemented, and consequently, 
least costly triple-channel DFBW control system mechanization 
which might satisfy the reliability requirement. The concept 
involved maximxam use of Phase I and II a hardware and minimum 
aircraft modification to achieve these ends. Figure 37 is a 
simple functional block diagram of the configuration. 

Phase Ila sensors were to be used, with an additional set 
acquired to supply the third channel. Triple stick and rudder 
pedal transducers were used to drive the backup system in the 
earlier program phases, and consequently, were available with- 
out aircraft modification. Aircraft wiring changes were 
minimized by avoiding analog crossfeeding of sensor inputs, and 
similarly, not crossfeeding commands to the surface servos. 

Phase Ila mockup and layouts indicated that all three 
AP-101 computers and the required three sets of input/output 
hardware could be accomodated within the palletized equipment 
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bay. The primary crossfeeds between channels could then be 
easily accomodated by parallel intercommunication between 
processors . 

The analyses presented in refs . 15 and 17 indicate that the 
throughput capability of the APlOl processor is more than suffi- 
cient to assure flight control using higher-level control laws 
if adequate memory capability is provided. A 24K memory was 
assumed for cost and reliability calculations. 

An actuator configuration consistent with the three- 
channel sensor and computational elements was envisioned which 
could be provided simply by the inversion of the primary 
digital and backup functions of the secondary actuator. This 
was to be accomplished by acquisition of an additional high- 
gain (primary) servo valve for each secondary actuator^ 
replacement of the three backup system valves with the three 
higher-gain (primary) valves and mounting of two of the three 
backup valves in the location previously used for the primary 
valves. To avoid equalization problems with the triple-tandem 
secondary actuator, an active/standby mode of operation, with 
only a single cylinder driving at a time, was considered most 
suitab^le. 

As the study progressed, a number of significant deficien- 
cies of" this concept became apparent. The high-friction - 
hysteresis effects of the servo valve - secondary actuator combi- 
nation discussed in Section 5 were resolved to be the source of 
inadequate actuator performance which would be even more detri- 
mental in advanced control law research. The effects of switching 
transients in the active/standby mode of secondary actuator 
operation combined with the marginal performance of the actuators 
were predicted to result in iinsatisfactory flight behavior. The 
mountings of the primary and backup valves were found to be dif- 
ferent, therefore necessitating fabrication of special manifolds, 
etc., to facilitate interchanging their locations. 

As a result of the recognition of these significant problems 
with the aircraft and related systems, it became apparent that 
the so-called "minimum configuration" would, in fact, require 
enough added equipment and aircraft modifications to be virtually 
indistinguishable from the impr o/ed configurations. Consequently, 
the definition and consideration of the "minimum" configuration 
was dropped and it was not further included in the tradeoff. 


Research Vehicle Improved Configuration 

General . - A simple block diagram of the research vehicle 
improved configuration is shown in Figure 38. 
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Figure 38. Triple-Redundant Research Vehicle 
Improved Configuration 

This configuration is designed to provide improved perform- 
ance and reliability in comparison with the Phase I system with 
only a nominal increase in cost. It is intended to utilize 
existing hardware or require only minor modifications. 

The more detailed functional block diagram of Figure 39 
indicates the principal signal paths for both the primary 
triple-channel digital fly-by -wire flight control system and 
the dual-channel analog backup control system. 

The primary digital FEW control system is based upon use 
of the IBM APlOl central processor and sufficient memory 
capacity to allow the APIQI to accomplish necessary input/output 
processing. The interface units shown include additional hard- 
ware for analog-to-digital and digital-to-analog conversion, 
input/output buffers and input/output control functions. 

Each sensor set includes roll, pitch and yaw rate gyros as 
well as normal and lateral accelerometers. Stick and rudder 
command signals, trim control signals, and all sensor set 
signals are fully crossfed in analog form. A digital crossfeed 
at the computational output is provided by intercommunication 
between the processors. 

The interface between the computational function and the 
actuation has not been previously discussed in detail. This is 
primarily due to the fact that state-of-the-art techniques are 
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used* Digital servo commands are converted and reconstituted 
into continuous analog signals via sample and hold circuits which 
approximate zero-order holds. Figure 40 shows a typical digital 
computer - servo amplifier valve interface as used by Honeywell 
in various digital flight control systems. This is a straight 
forward, proven arrangement. 

The dynamic performance limitations noted in the aircraft- 
autocontrol combination have been removed by modification of the 
secondary actuators . The primary hydraulic servo valves have 
been replaced with improved valves, differential pressure 
sensors have been added, and the triple -channel primary section 
of the secondary actuator is operated in a unique force-summed 
implementation designated as active/on-line operation in Section 
5. Actuators are in-line monitored, thus providing two-fail-op 
characteristics. 

Backup system . - Reliability of the analog backup control 
system is assured by the pilot's manual selection switch, which 
gives him the capability to switch in either the active analog 
computational channel or the monitor analog computational channel 
to drive the active backup valve. 


Triple-Data Bus Shuttle Configuration 

The triple-data bus Shuttle configuration was selected to 
closely resemble the Space Shuttle flight control configuration 
within the F-8C physical constraints. The system is based upon 
a multiplexed data bused architecture with triplex redundancy as 
illustrated in Figure 41. The sensors, processors, and actuators 
are the same as those used in the other configurations. The sig- 
nificant difference is the incorporation of a digital transmission 
scheme . 

Shuttle time division multiplex bus terminology . - The 
following Space Shuttle terminology and abbreviations will be 
used; 


o 

MDM - 

Multiplex de-multiplexer 

o 

MIA - 

Multiplex interface adapter 

o 

TDM - 

Time division multiplexing 

o 

FDM - 

Frequency division multiplexing 

o 

BCU - 

Bus control unit 

o 

SSIB 

- Siabsystem interface board 

o 

MUX - 

Multiplexed 
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S■^{Tqe3tfld bug v&rsus Shuttle bus cojnparieoti . - The goal was 
to configure a system which coul(3 use and verify redundancy 
management concepts very similar to those implemented in 
Shuttle. To reduce system development and prcourefnent costs, 
the system was designed arcund Shuttle building blocks, where 
possible. Thus the configuration is a reprosentativo, but 
rather simplified, version of the basic Shuttle flight control 
concept. The major deviations from the Shuttle configuration 
include : 

o Different eensor complement 

o Different actuators 

Q Reduction in number of buses from 26 to 3 

o Replacement of hardware input-out processor fIOP> 
by a more simple bus control unit tBCU) 

o Simplified multiple»er-deraultxplexer units due 
to simplified sensor command 

O Reduced hardware redundancy to a triple channel level 
The important eirai lari ties includes 

o Dtilialng Internally duplexed hdms as designed for 
Shuttle 

O Each processor being able to command each hue 

o Souk cominon I/O software and conventions 

o Some common redundancy menagenient software 

Although multiplex technology ig new and relatively 
unproven in flight control applications, it offers a number 
of advantage St 

o Extensive reconfiguration capability 

o Modular flexibility for trying different redundant 
configurations 

o high noise immunity 

o Bossible cost advantages for standardized parts and 
interfaces 

o Reduced wiring coet/ complexity 



Figure 42 illustrates the detailed block diagram of the overall 
system configuration. 

System partitioning. - The system is partitioned into four 
major interface s\absystems (as illustrated in Figure 42) : 

o Nose electronics interface 

o Computer interface 

o Midship electronics interface 

o Aft actuator interface 

This partitioning is based on: 

o Minimizing cost of MDMs 

o Minimizing non-MUX physical wiring 

o Equalizing loading 

o Utilizing redundancy management policy from Space 

Shuttle 

Three physical I/O subsystems are partitioned to equalize 
loading on the bus while minimizing the wiring from MDM to the 
sensor or actuator. This results in nine MDM modules and three 
ECU modules being required to provide data busing. 

Multiplex technology . - The following paragraphs summarize 
the important different features of this configuration. 

Readers unfamiliar with multiplex technology may read the back- 
ground discussions in Section 5 for details on multiplex design 
considerations . 

Figure 43 illustrates the relationship between the major 
components of the multiplex data bus. The MDM is the Shuttle 
standard bus interface module which connects flight control 
subsystems to two independent MUX busses . An MDM is composed of 
two independent microprogrammed controllers which provide dual- 
redundant paths to a primary and a backup bus. The MIA within 
the MDM provides the signal conditioning for transmitting and 
receiving Manchester coded data on the bus . The control and 
timing block provides data buffering, address recognition, and 
command execution sequencing. The SSIB is a custom board that 
interfaces the signals from the sensor or to the actuator with 
dual paths through the MDM as shown in the inset of Figure 43. 
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Figure 42. Triple-Data Bus Shuttle Configuration 































Figure 43. Relationship Between Components of a 
Multiplex Data Bus 


The BCU provides an interface between the processor and 
all redundant buses. Through it, each processor is capable of 
controlling any bus and responds to requests on all buses. 

Thus, the BCU is a compromise hybrid concept which uses a nomi- 
nal amount of new hardware and APlOl software to accomplish the 
same function as the I/O Processor described in Section 5. 

Undoubtedly custom hardware that would more efficiently 
handle the F-8C problem could be designed, but the development 
costs would far outweigh the slight additional hardware costs 
incurred by using Shuttle units wherever feasible, as described 
above. 

Redundancy scheme . - This system is configured to closely 
resemble the redundancy management techniques employed in the 
Space Shuttle scaled down to solve the F-8C problem, cost 
effectively. 
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Three separate twisted shielded pair buses are provided to 
transmit all input/ output and intercomputer data. A triplex 
bus configuration was selected to simplify I/O scheduling and 
correspond to the Shuttle approach, although reliability consid- 
erations suggest a duplex bus may be adequate. 

Each MDM contains dual-redundant channels which interface 
with both a primary and backup bus. A subsystem interface board 
(SSIB) interfaces each redundant channel sensor set to dual- 
redundant D/As and A/Ds . Either the primary or backup channel 
can access the sensors, thus facilitating fault isolation and 
full recovery to triplex operation if a bus or MDM channel fails. 
Simplex or duplex sensors are connected to all three MDMs, allow- 
ing each processor access to that input. 

The processors are connected to the bus with three indepen- 
dent MUX interfaces which allow the computer to control any one 
bus, and respond on the other two. Under program control, each 
processor can decide which bus it will control, which is exactly 
the method used by Shuttle. 

All input voting is done by all processors in software 
by sharing all three input sets. This provides for triplex 
median select or any other form of signal select/voting scheme 
to be implemented with maximum fault coverage over the voting 
software. 

The outputs are voted by each processor in software before 
being sent out to the actuators. Then each CPU will send out 
bit-identical answers which may be easily compared at the 
actuators with a simple bit-by-bit comparator, if required. 

Due to the dual-channel nature of the MDMs, there are two 
possible success paths to each independent actuator channel (see 
Figure 42) . 

Flexibility aspects . - One advantageous characteristic of a 
data bus configuration that merits further discussion is the 
inherent flexibility available for evaluating different redun- 
dancy management schemes. The modular structure allows for 
simple inclusion or deletion of redundant sensors, crossfeeds, 
processors, and actuators without hardware redesign. Many 
different success path strategies can be studied with essentially 
the same basic system design. ' 

This flexibility may be further enhanced by: 
o Internally duplexed MDMs 

o Multiplexing of subsystem interface boards (SSIB) 
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o Multiple connection paths between CPUs and buses; 
and MDMs and buses 

This system flexibility can be illustrated by the triple- 
bus quad-computer configuration shown in Figure 44, where an 
additional AP-101 is included in a standby spare mode which could 
be constantly monitoring the noonnal operation and be switched 
into operation after the first CPU/BCU failure. Due to the 
data bus implementation, the fourth CPU can be physically 
located anywhere in the airplane. 

Another example of flexibility is that the system can be 
configured with duplex MDMs rather than triplex. Figure 45 
illustrates a triple-bus , dual-MDM configuration which offers a 
significant reduction in cost with only slight reduction in 
reliability. 

The output actuators MDMs would remain triplexed as would 
the computer BCUs. The only other change would be in the system 
software to address sensor set No. 2 through the new access 
paths . 


Quadruple Computation Commercial Transport Configuration 

Another area of possible application of the F-8C program is 
research in the digital fly-by-wire flight controls for commer- 
cial transports. 

Two highly significant innovations in automatic flight 
control — 1) the fly-by-wire system, which replaces the 
mechanical coupling to the surface actuators with electrical 
coupling; and 2) higher-level active control modes, which im- 
prove passenger comfort and structure fatigue life — have no 
flight test experience directed toward commercial transport 
considerations. The proposed commercial transport configuration 
(Figure 46) includes, in addition to the above functions, a full 
set of flight control modes presently utilized in commercial jet 
transport aircraft such as pilot relief, control wheel (stick) 
steering, area navigation coupling, automatic landing, roll-out 
and go-around modes . 

The primary considerations in commercial transport avionics 
are safety and cost, with performance third in importance. 
Economic considerations should never overshadow the safety 
aspects, but may require changes in operational procedures to 
improve cost effectiveness. 
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Figure 45. Sample Interconnection for Dual-MDM Configuration 
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Figure 46. Quadruple-Redundant Transport Configuration 


Computer configuration . - The importance attached to safety 
and high operational reliability by commercial airlines is indi- 
cated in ref. 24. They indicate four-channel comparison-monitored 
configurations for flight critical functions are considered to 
be mandatory because ; 

1) The airplane must be able to continue the trip from 

an intermediate stop even though a component failure 
has been detected, and 

2) The use of in-line self-test (monitoring) as a satis- 

factory substitute for comparison monitoring has not 
been conclusively demonstrated. 

Sensor configuration . - The cost-of-ownership studies in- 
cluded as a part of the Honeywell ATT Study (ref. 24) indicated 
that costs directly related to initial acquisition, maintenance. 
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and replacement of sensors may amount to approximately 41 percent 
of the total cost of ownership of a quadruple redundant flight 
control system. These high costs associated with quad redundant 
orthogonal sensor sets may be reduced by approximately one-half 
through the use of a skewed hexad sensor array including six rate 
gyros and six accelerometers. The use of a skewed sensor array 
is particularly compatible with the commercial transport applica- 
tion because the rates and accelerations to be sensed along the 
various axes of the transport are in the same range , and thus 
all sensors in an array may be identical . For economic reasons , 
then, a hexad skewed sensor array is used in the quad commercial 
system. 

A description of the theory and application concepts of 
skewed sensor arrays is included in Section 5 . > 

The large processor (AP 101) , provides more than adequate 
throughput capability to accomplish all of the AFCS functions 
listed earlier. In addition, the operational reliability as 
well as maintainability are enhanced by the built-in-test 
capability offered by the AP 101. 

Conventional component interconnection by wiring harness 
will be used. Similarly, conventional input/output data 
handling techniques and hardware will be used where necessary to 
supplement the AP 101 (i.e., a separate I/O processor will not 
be used, but the I/O function will be handled with AP 101 soft- 
ware as much as possible) . 


Quadruple Redundant Shuttle Configuration 

Figure 47 is a simple block diagram of the quadruple redun- 
dant data bus Shuttle configuration. This configuration most 
closely approximates the actual multiple-data bus arrangement 
used in the Shuttle and consequently, redundancy management 
techniques developed or refined with it should be directly' 
applicable to the Shuttle flight control system. 

The implementation of the sensor and computation portions 
of each channel is essentially identical to the implementation 
of the trip]^e-data bus Shuttle configuration. The improved 
secondary actuator recommended in the previous section is also 
assumed to be used in this configuration. The change in redun- 
dancy level from the four-channel computation to the three- 
channel secondary actuator is facilitated in the data bus 
arrangement by the fact that the signal flow is controlled 
through software. 
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Figure 47. Quadruple-Data Bus and Computer Shuttle Configuration 















ANALYSIS AND TRADEOFF METHODS 


Tradeoff Evaluation Parameters 

[ 

The following criteria were listed in the NASA statement 
of work and/or Honeywell proposal as possible primary parameters 
to be considered when performing final evaluation of each candi- 
date configuration. 

o Performance 

o Funding constraints 

o Reliability 

o Maintainability 

o Producibility 

o Weight 

o Flexibility 

o Cost 

o Accessibility 
o Packaging 
o Fault isolation 
o Repair 

o Environmental factors 
O Complexity 

This list includes some apparent duplications, but also may 
be deficient in not listing other significant criteria. 

However, application of such a large number of tradeoff para- 
meters is not conveniently accomplished. Consequently, the 
tradeoff must consider only the most important parameters with 
a weighting method which can be consistently applied to all of 
the candidate configurations . 

Two factors were used in evaluating the configurations — 
rating and weighting; 
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1 ) 


Rating values - The ratings were assigned in the range 
from 0 to 10 with the configuration rated highest for 
a particular parameter (highest level of "goodness") 
receiving a rating equal to 10 and the other configur- 
ations given a lower rating, based upon the estimated 
degree of difference. Where two configurations were 
considered equal, both were given the same rating. 

2) Weighting factors - Obviously, all of the tradeoff 

parameters were not of equal importance in the selec- 
tion of a recommended configuration. Weighting 
factors were assigned for each parameter in accordance 
with its relative importance. The rating value was 
multiplied by the weighting factor to establish a 
niimerical parameter value. Summation of these 
numerical parameter values gave an overall numerical 
rating for each configuration. 

Tradeoff parcimeter selection rationale . - The proposed 
tradeoff parameters are each discussed below with the rationale 
for selection of the significant parameters to be used in the 
evaluation of the candidate configurations . The unique and 
specific requirements of the F-8C digital fly-by-wire program 
were a primary consideration in this selection. 

Performance; Performance may not be a very useful primary 
parameter for evaluation of the proposed F-8C DFBW configurations 
because all candidate configurations must provide adequate per- 
formance to accomplish the development task. 

Rating of performance could be represented by a non-linear 
function as illustrated in the following sketch in which the 
nominally adequate performance is represented by MIL-F-8785 
requirements . 
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Since evaluation of intermediate levels of performance 
requires a level of system definition that was not within the 
scope of this program, performance was discarded as a tradeoff 
parameter. 

Funding constraints : The program funding constraints are 

a primary consideration, although funding restraints do not 
vary with the configuration and consequently, are not a system 
parameter. Since the funding constraints were not defined to 
Honeywell, this factor was not used in the tradeoff. 

Integrity or reliability: System integrity has commonly 

been expressed by a number of terms such as reliability, mission 
reliability, operational reliability, MTBF, failure rate, 
equivalent MTBF, probability of failure and probability of 
success which differ in detail but essentially serve to measure 
the same quality. 

The contractual statement of work for this study estab- 
lished an operational reliability requirement of 10”^ system 
failures per flight hour. This is a significant independent 
parameter which was determined for each configuration using 
success path diagrams, component MTBFs, and mission time. 
Calculations were based on a two-hour mission. 

Since the operational reliability data can differ by 
several orders of magnitude, while none of the other rating 
parameters differ by even a factor of ten, it is apparent that 
the raw data must be converted to more appropriate ratings . 
Conversion of the raw data to a system rating is an arbitrary 
process which can cause a wide variation in effective weight. 
Therefore, only after consideration of a number of alternatives, 
a logarithmic function was selected as most appropriate. 

RF = -K log^^Q X 

where RF is the reliability factor, X is the failure 
probability for a particular system, and K is a constant 
for a particular set of systems which makes RF, for the 
system with the smallest X , equal to 10 . 
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Thus, for K = 1, and X = 1 x 10 RF = 10 

X = 1 X 10“^ RF = 5 

Some consideration was given to the concept that a rating 
of zero (0) should be given to any system with a reliability 

less than the specified requirement (10”^). However, as indi- 
cated in Section 5, although the 10“^ requirement appears 
reasonable for commercial transport flight control research it 
may be somewhat stringent for military aircraft. Consequently, 
the discontinuous rating concept was not used. 

Maintainability and repair requirements: A maintainability 

requirement of 0.02 maintenance man hours per flight hour was 
established in the contractual statement of work. Such a 
requirement is applicable to a long-term operational program 
involving large numbers of aircraft with a well-defined main- 
tenance structure using automated test equipment, etc. Further 
determination of a maintenance ratio requires a detailed 
definition of the configuration and maintenance philosophy which 
was not in accordance with the planned scope of this study. 

Thus, this maintainability requirement does not appear to be 
appropriate to a development program such as the F-8C DFBW 
project. Consequently, Honeywell, after discussion with NASA, 
deleted maintenance ratio as a factor in evaluating the candi- 
date configurations . 

A*. 

One measure of maintenance required is the summation of 
component failure rates without regard to redundancy crossfeed- 
ing, etc. The inverse of this total failure rate may be defined 
as the "mean time between maintenance actions" (MTBMA) . This 
parameter has been determined for each of the candidate configur- 
ations and was used in establishing the maintainability rating. 

The rating is determined by noinmalizing (dividing the MTBMA 
for each candidate configuration by the largest MTBMA in the 
set) , and multiplying this value by ten. 

Producibility ; Producibility is not a critical factor 
since this is a development, rather than high-production program. 
In addition, no exotic components or techniques are anticipated 
to be utilized. State-of-the-art hardware was used to keep 
costs down as well as to assure reliability. Producibility, 
therefore, was not used as a factor in evaluation of the various 
configurations . 

Packaging: For the same reasons mentioned above concerning 

producibility, packaging was not considered an appropriate 
factor for use in the evaluation of the candidate configurations. 
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Weight and volume; The physical parameters of weight and 
volume are useful for evaluation of the candidate configurations . 
Space is very limited in the F-8C flight test aircraft and, 
consequently, is a more vital concern than weight. An undesir- 
able but possible solution to the lack of space would be the 
attachment of an external pod and/or adding faired structure. 
Additional weight or space requirements may be converted to 
cost; therefore, weight and space effects were not evaluated as 
independent parameters but were included in costs. 

Accessibility: Accessibility may be effectively determined 

only after a detailed physical layout of the components and 
interconnecting harness in the test aircraft. Assessment of 
accessibility was not appropriate to the scope of this study and 
accessibility was not used in the evaluation. 

Cost: Cost of ownership is an excellent criteria for 

evaluation of operational systems; however, this is not a 
suitable criteria for development programs because of the lack 
of definition of the operational model and other input para- 
meters . 

Initial hardware costs alone are not suitable criteria 
because such costs may be only a small percentage of the overall 
program costs and may not be proportional to the overall costs 
for a particular configuration. In evaluating the candidates 
with regard to costs, the following components of the overall 
costs were considered; 

o FCS development hardware (custom interface hardware, 
for example) 

o FCS purchased hardware (sensors, valves, computers etc.) 

o Aircraft purchased hardware (ptimps, alternators, 
harness, etc) 

o Aircraft modification 

Design and development engineering costs are very likely 
greater than the s\im of the costs listed above; however, they 
were not considered in the tradeoff because many of the factors 
influencing bhese costs were unknown to Honeywell. For example, 
the extent to which Shuttle data bus hardware would be available 
would have a very significant effect. It is also very possible 
that the development costs would be approximately proportional 
to the hardware costs; thfus, their inclusion would not change 
the relative ratings. 
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Fault isolation: The architecture of the candidate config- 

urations was so very similar and the level of detail definition 
was so gross that differences in fault isolation capability from 
configuration to configuration were virtually undistinguishable . 
Thus, this parameter was not considered independently in the 
tradeoff. Fault isolation capeibility was factored into consid- 
erations of reliability and maintainability, however, as a 
secondary influence. 

Power: Power was not originally indicated as one of the 

suggested tradeoff parameters; however, the preliminary investi- 
gation and data collection phase of this study disclosed a 
substantial problem with the flight test aircraft power capacity 
Both hydraulic and electrical power limitations can influence 
the selection of the recommended configurations. Consequently, 
this was included in the study evaluation. Replacement of 
present aircraft equipment with higher-capacity components 
results in direct costs . The effects of power requirements were 
included in the cost rating and not as a separate parameter. 

Flexibility: Flexibility (or ease of modification) is an 

independent parameter which is ^andoubtedly of greater importance 
in research programs than most other applications. Since all 
candidate configurations are based upon use of the same computer 
many of the possible variations in system architectures are 
restricted and, consequently, flexibility was considered not to 
be an appropriate parameter for the evaluation process. 

Complexity: Complexity is a parameter that tends to denote 

degradation rather than an improvement in capabilities. Flexi- 
bility usually implies some increase in complexity as well as 
increased capabilities. Increased costs are virtually always a 
result of increased complexity, thus, the effect of complexity 
may be represented by cost. Therefore, complexity was not used 
as an evaluation parameter. 

Environmental factors: The effect of environmental factors 

does not appear to provide sufficient differential to warrant 
making any judgement of the influence of these parameters. They 
were not included as a separate criteria. 

Applicability to Shuttle: This evaluation parameter was 

added early in the study when NASA indicated specific interest 
in application of the F-8C program to aid in Shuttle development 


125 



Quantitative measurement was not possible. Consequently, 
somewhat arbitrary judgements of the closeness of approximation 
to the Shuttle FCS techniques were used. It is apparent that 
the weighting of this parameter is a primary influence on the 
outcome of the tradeoff. 

Weighting factors . - The weighting factors assigned to the 
tradeoff parameters to be used in evaluating the candidate 
configurations are: 

Tradeoff Parameter Weighting Factor 

Cost 1.0 

Reliability 1.0 

Maintainability 0.25 

Applicability to Shuttle 1.0 


Reliability Analysis 

The program statement of work specifies as a goal that the 
system failure probability should be less than 1 x 10“^ flight 
control system failures per flight hour. Two different types of 
reliability investigations were conducted during the study. 

First, preliminary studies (discussed in Section 5 and 7 were 
conducted to determine the general levels of redundancy, cross- 
feeding, self test and backup necessary to achieve the 10“^ re- 
quirement in order to define the basic configurations. Second, 
the analysis described in Section 7 was conducted to validate 
the more fully detailed and complete configurations under con- 
sideration. 

A number of reliability analysis techniques were considered, 
including success path analysis, state space generalized relia- 
bility models and various digital computer programs . The 
application of CARE, a computer-aided reliability estimation 
program developed under NASA contract, was also briefly investi- 
gated . 

Since CARE is designed for evaluating fault-tolerant sys- 
tems, it appeared this program could be very useful in this 
study. However, upon contacting both NASA-Langley and the 
Computer Software Management and Information Center, University 
of Georgia, it was found that neither the CARE 1 or CARE 2 pro- 
grams were available for general use at this time. Honeywell, 
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consequently, conducted the reliability analysis using success 
path diagrams and reliability modeling techniques which have 
been successfully utilized in the past. These techniques are 
described in detail in Appendix E and reference 19, 

The reliability of each candidate configuration was deter- 
mined by probability of failure calculations based on success 
path diagrams and state space methods in accordance with the 
following assumptions and approximations . 

o All channels are failure free and fully operational at 
the beginning of the 2-hour mission (i.e, perfect 
preflight testing) . 

o Perfect failure monitoring and channel switching is 
provided by the failure monitors. 

o Unless a failure occurs, all equipment is operating for 
the entire 2-hour mission. 

o Redundant channels are truly redundant in the sense 

that there are no significant single elements that will 
compromise the calculated reliability of a redundant 
configuration. Examples of such elements are common 
electrical power and hydraulic sources, or a single 
electronic component failure that will cause a monitor 
to trip , etc . 

o All functions are required for system operation. 

Approximations employed in the reliability analysis were: 

o In cases where a sensor or actuator required an input 
generated by another function such as power from an 
interface unit or computer, the failure rate associated 
with the parts generating the required power was 
included in the failure rate of the sensor and/or 
actuator in addition to being included in the interface 
unit or computer. This approximation simplifies the 
calculation necessary and produces a conservative 
result with assurance of meeting the requirement. 

o A capability of detecting 95 percent of all channel 
failures with self test was assumed for the processor 
- input/output function when predicting reliability 
improvement due to self test. This is judged to 
be conservative, based upon Honeywell studies in this 
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area which indicate self test capability of greater than 
99 percent is realistic and obtainable in a digital 
system using processor self tests, parity tests, I/O 
wrap-around tests, arid dynamic computation tests. 

The probability of failure calculated for each redun- 
dant function configuration was based on the binomial 

expansion formula (R+Q)^ which assumes an exponential 

failure distribution where R=e“^^ and Q = 1 - R. A 
total system probability of failure (Q) was determined 
by summing the subsequent series strings of failure 
probabilities. This could be done, because, for small 
probabilities of failure, Q=Xt. Therefore, Q total = 

(X£+X2 + ^3 + + ^n)t == X^t + X2t + X3t + 

+ X^t. The probability of failure per flight hour 
over a 2~hour mission was calculated as 1/2 of the 
"system probability of failure for 2 hours". 

Reliability success path block diagrams were drawn for each 
of the configurations evaluated, with each block representing a 
major system function. These diagrams depict the level of 
redundancy, .if any, employed for each function and note the 
necessary mamber of channels that must operate for system 
success, depending on the type of redundancy monitoring employed. 

Failure rates in terms of percent failures per 1000 hours 
were assigned to each block in the success path diagram. A 
majority of these failure rates were derived from Honeywell 
standard piece part failure rates and commercial airline opera- 
tional data. These piece part and component failure rate data 
are listed and discussed in Appendix F. A source description of 
the failure rates assigned to each success path block is provided 
with the detailed discussion of each specific configuration. 
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SECTION 7 


RESULTS 

AN EVALUATION OF SELF-TEST EFFECT ON RELIABILITY 


In the simplified redundancy analysis described in Section 
5 it was indicated that the probability of total sensor and 

computation function failure was in the range of 4 x 10”^® to 
4 X lO"^^ for a dual-digital configuration with a triple-analog 
backup and comparison monitoring. Further, it was indicated that 
with comparison monitoring plus 95 percent self test, the pro- 
bability of a total system failure actually became greater and 

increased to the range of 5 x 10~® to 5 x 10“^®. This effect 
was of particular interest because this is the configuration 
originally planned for the Phase Ila flight test. 

The cause of this increase is the additional failure modes 
introduced with a self-test capability. With a self-test capa- 
bility, it is possible (if the second failure is not detected by 
self test) to have a total system failure and not switch to the 
analog backup at all. Whether or not this is significant depends 
on the self-test capability (%) and the relative magnitude of the 
digital failure rate (primary channel) with respect to the failure 
rate of the analog backup. 

In order to further evaluate the effect of the full range of 
self-test capabilities on the probability of system failure, the 
following four system configurations were analyzed under the same 
groundrules as the previous simplified redundancy analysis except 
the length of the mission was increased to two hours to correspond 
with an average F-8C mission. Note that this analysis considers 
only the sensors and computational elements of each configuration; 
servo actuator effects are not included. 

o Quadruple-channel digital system without any 
analog backup. 

o Triple-channel digital system with a dual-channel 
analog backup. 

o Dual-channel digital with a triple-channel analog 
backup. 

o Dual-channel digital system with a dual-channel 
analog backup. 
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state diagrams were constructed for each of these con- 
figurations and the probability of total system failure was 
computed for each configuration using the computerized State 
Interpretative Program. The state diagrams and sample compu- 
tations are included in Appendix E. 

The results of this analysis are provided in the plots in 
Figures 48 and 49, which show the probability of total system 
failure/per hour versus the self-test capability of the primary 
digital channel. 

Figure 48 plots are based on a 10 faxlure per hour dxgital 

channel and a 4.5 x 10“^ failure per hour analog backup channel. 
In Figure 48, both the triple-channel digital with dual-channel 
analog backup and a straight quadruple-digital channel have prob- 
abilities of total system failure much less than the other two 
configurations. The probability of total system failures for 
both configurations can be decreased by a factor of close to 100 
by varying the self-test capability from 90 to 99.9 percent. 

. -4 

Fxgure 49 plots are based on a 10 faxlure per hour dxgxtal 

channel and a 4.5 x 10~^ failure per hour analog backup channel. 
As shown in Figure 49, the triple-digital channel with dual- 
analog backup channel and the straight quadruple channel digital 
systems have similar probabilities of total system failure and 
are much better than the other two system configurations. Again, 
close to a factor of 100 in improvement can be gained by improv- 
ing the self-test capability from 90 to 99.9 percent. 

If the curves in Figure 48 are compared with the correspond- 
ing curves in Figure 49, it can be observed that: 

1) As the failure rate of the digital channel is 

decreased from 10“^ to 10“'^ failures per hour, the 
probability of total system failure per hour de- 
creases by approximately 10“^ for the straight 

quadruple system and by approximately 10 for the 
triple-channel digital and dual analog backup system. 

2) The probability of total system failure for both 
the straight quadruple system and the triple- 
channel digital with a dual-analog backup, is 
less than 1 x 10”^ failure per hour as long 

as the self-test capability is greater than 95 
percent. Therefore, if the probability of 
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PROBABLITY OF SYSTEM FAILURE PER FLIGHT HOUR 
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Figure 48. Reliability Variation With Self-Test Capability 
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failure of the actuator function per hour is 

10“^ or greater, very little improvement would 
be gained with any increase in sensor and 
computation redundancy . 

3) The results obtained for the configuration con- 
sisting of dual-digital channels with triple- 
analog channel backup illustrate that caution must 
be exercised when introducing self test and auto- 
matic switching. If it is assumed that the system 
cannot switch to the analog backup when the second 
digital channel failure is not detected by self 
test, the probability of total system failure 
actually peaks at around 50 percent self-test 
capability. Therefore, unless the self-test 
capability is greater than 99.2 percent, the 
probability of total system failure will be 
greater with self test than without it. This 
characteristic is shown in Figures 48 and 49 
and in more detail in Figure 50 . 


RELIABILITY TRADEOFF RESULTS 


The operational reliability goal for the F-8C DFBW flight 
control systems studied was a probability of failure per hour less 

than 1 X 10“^, based on a mission time of two hours. The four 
basic configurations described previously in Section 6 were evalu- 
ated in detail to determine the failure probability for various 
versions of each one. 

A summary comparing the probability of failure per flight 
hour for the four configurations is provided following the more 
detailed results. 


Improved Research Configuration 
Success Path Diagram and Probability of Failure Calculations 

The success path diagram for the improved research vehicle 
configuration is shown in Figure 51. 
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As shown in Table VIII the probability of a total system 
failure per hour is equal to 107.7 x 10“® for the basic configu- 
ration. The 107.70 X 10“^ is the svunnmation of the probability 
of the sensor function failure, the computation function failure, 
and the actuation function failure. The probability of the com- 
putation function failure per hour (101.31 x 10“^) assumes that 
at least two of the three computation channels must operate and 
relies on comparison monitoring only for failure detection. 

It is apparent that the computation function failure rate 
is the major contributor to the total system failure rate. There- 
fore, the computation function is the obvious area in which to 
effect reliability improvement. Utilization of self test after 
a second channel failure can enable determination of the "good" 
channel and continued operation with the single channel. Assum- 
ing 95 percent of all computational function failures will be 
detected by self test, the probability of a computation function 

failure per hour can be reduced from the 101.3124 x 10”® to 
—8 

5.07 X 10 . This reduces the probability of total system fail- 

ure per hour from the 107.77 x 10“® to 11.53 x 10“® with 95 per- 
cent self-test effectivity. 

System probability of failure per hour is as follows ; 


o 

Sensor function 

6.15 

X 

10”® 

o 

Computation function 

5.07 

X 

00 

1 

o 
1 — 1 

o 

Actuation function 

0.31 

X 

00 

i 

o 

rH 


System total 11.53 x 10”® 


As can be seen from the relative magnitudes of these proba- 
bilities of system failure, any additional redundancy in the 
computation function can only reduce the system probability of 
failure by approximately a factor of two. In other words, as the 
redundancy of the computation function is increased, the proba- 
bility of total system failure will approach the siammation. of 
probabilities of the loss of the sensor and actuation function, 
or 6.46 X 10”®. 
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TABLE VIII. - EQUIVALENT FAILURE RATE AND PROBABILITY OF 
FAILURE PER HOUR FOR THE IMPROVED RESEARCH VEHICLE CONFIGURATION 


Function/sub- function 

Failure rate 
(X)%/1000 hours 

Success 

criteria 

Sub-function 
equivalent 
failure rate 

X 10-8 

Probability 
of failure 
per hour 

X 10-8 

Sensors 




6.15 

1. Roll rate gyro 

5.2 

2 of 3 

1.6221 


2. Pitch rate gyro 

5.2 

2 of 3 

1.6221 


3. Yaw rate gyro 

5.2 

2 of 3 

1.6221 


4. Lateral accelerometer 

3.2 

2 of 3 

0.6143 


5. Normal accelerometer 

3.2 

2 of 3 

0.6143 


6. Stick 

1.0 

2 of 3 

0.0599 


Computation 

41.12 

2 of 3 


101.31 

1. I/O control 





2 . Mode control 

41.12 

2 of 3 

101.3124 


3. CPU 





4 . Memory 





Actuation 




0.31 

1. Right elevon secondary 
actuator and/in-line 
monitor 






2. Left elevon secondary 
actuator and in-line 
monitor 






3. Right aileron secondary 
actuator and in-line 
monitor 


y 56.92 

1 of 3 

0.0736 


4. Left aileron secondary 
actuator and in-line 
monitor 






5. Rudder aileron secondary 
actuator and in-line 
monitor 






6. Right elevon power 
actuator 

1.54 

1 of 2 

0.0474 


7 . Left elevon power 
actuator 

1.54 

1 of 2 

0.0474 


8. Right aileron power 
actuator 

1.54 

1 of 2 

0.0474 


9 . Left Aileron power 
actuator 

1.54 

1 of 2 

0.0474 


10 . Rudder power actuator 

1.54 

1 of 2 

0.0474 


TOTALS 




107.77 
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If the analog backup (Figure 52) is considered in the prob- 
ability of success for the improved configuration, the probability 
of failure per hour (based on a 2-hour mission) is decreased from 

107.7 X 10”® to 6.5 X 10“® (without considering the potential self- 
test capability of the computation function) . If both an analog 
backup and self test in the computational function are considered, 
the probability of failure per flight hour is decreased only 

slightly to approximately 6.48 x 10“®. If pilot switching is 
considered in the analog backup, the probability of failure per 

—8 

flight hour is decreased to approximately 6.46 x 10 . 

A simplified system success path diagram showing the analog 
backup system integrated into the system is shown in Figure 53. 

A reliability prediction of the analog backup is provided in 
Table IX . 

The calculations for this configuration have been based 
upon the assumption that the sensors are all crossfed into all 
three computation channels. Without this crossfeed, the equiva- 
lent failure rate for the combination of the sensor and compu- 
tation function would increase, resulting in the values shown in 
Table X, 

The first column of Table X provides the equivalent failure 
by basic function with the sensors crossfed into the computation 
function and with comparison monitoring only. The result is a 
system equivalent failure rate and probability of failure per 

hour of 107.77 x 10"®. 

The second col^amn of Table X provides the equivalent fail- 
ure rate by basic function for the improved research vehicle 
configuration, with the sensors crossfed into the computation 
function and with both comparison monitoring and 95 percent self 
test (computation function) . The result is a system equivalent 

—8 

failure rate and probability of failure per hour of 11.53 x 10 °. 
With a 95 percent self test in the computation function the 

equivalent failure rate was reduced from 101.31 x 10“® to 5.07 
x 10~® and the potentially unsafe failure mode that was intro- 
duced has a probability of occurence of less than 10“^^ per hour. 
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Figure 52. Dual Channel Analog Backup System Success Path Diagram 









Figure 53, Simplified Eucesee PatJl Piagrare of the Improved 
Research Vehicle Configuration Including 
Dual— Chanjciel Jinalog Backup 
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COlufAij nXiDftber three Of Table X provides the equivalent 
failure rata of the csojifi^ruration without sensor cross feed or any 
e$lf test. In other words, the equivaLept failure rates or proib- 
ability values provided in this eoliuM are based on the assumption 
that a failure In computation function channel #i will result in 
a loss of channel #1 sensors « By roraovinq the sensor crossfeed, 
the equivalent failure rata for the coiriblnation of eensOrS and 

computation functions was increased from 107 i 46 x 10’'® iColumn #11 
to 237.03 X 10"® (Column #31- 

The equivalent failure rates provided in the fourth column 
of Table X provide the equivalent failure rates that would result 
with 95 percent self-test capability in the computation function ^ 
The result Is the equivalent failure rate of the coratii nation of 

sensor and computation function would be reduced from 237*03 x 10 ® 
(Column #31 to 90.06 x 10”® (Coliann #4l . 


Triple Data Bus Shuttle Con figuration 

The success path diagram for the triple data buB ehuttle con- 
figuration ie shown in Figure 54. 

Rate Gyro Sensor Channel Input * ^ The a-c input power and any 
discretes such as torquer inputs for each rate gyro are provided 
from each MDM channel through the subsystem interface board - C 
tSSlB^cl . The outputs from each rata gyro are fed into both fiSIB-A 
and SSIB-B each o£ which can feed either of the two redundant MDH 
channels (AtBj . For successful operation of a given rate ^ro 
channel SSIB-A or SSIB-B and PIDW-A or MDM-B are required. For 
successful Operation of the total rate gyro function, at least two 
o£ the three rate ^ro channels must be operational . Because com- 
parison monitoring is used, the equivalent failure rate for any 

given gyro axis was computed to be approximately 1*685 x 10"^® on 
the basis of a 2-hour inission* 

Computafjgn' . - ThO of the three data buses are required for 
successful operation* The equivalent failure rate for a two of 
three redundancy fifthoiiie in a 2^-hour mission is less than 0,0092 x 
10 "®* 


The predicted failure rate for the ECU and APlOl combined is 
31.5%/lOOt) hours. With the crossfeed that would be available with 
this aye tarn, two of three channels are required for successful 


141 




































operation. The equivalent failure rate for this arrangement for 
a 2-hour mission is approximately 59.472 x 10“®, 

It is apparent that the failure rate of the data bus alone 
is negligible in comparison with the other components making up 
the computational function. 

Actuator MDM . - The equivalent failure rate using the success 
path diagram will yield conservative results because some subfunc- 
tions are repeated more than once in the success path diagram. A 
0.05%/1000 hour failure rate was assigned to each data bus. A 
5%/1000 hour failure rate is used for each of the two redundant 
MDM channels (MDM A&B) and a failure rate of 0.5 percent for the 
output SSIBs. Using these failure rates and a 2-hour mission, the 
equivalent failure rate for the output MDMs is approximately 
0.00015 X 10”® (nearly negligible with respect to the power actu- 
ator function) . 

System equivalent failure fate . - The equivalent failiire rate 
for the triple-data bus Shuttle configuration is summarized in 
Table XI. The equivalent failure rate (2-hour mission is approxi- 

— fi 

mately 66.21 x 10 °) . The probability of failure per hour for the 
configuration is approximately 66.21 x 10“®. 

As shown in Table XI, the largest area of unreliability is 
the computation function. Out of a total configuration equivalent 

failure rate of 66.22 x 10”®, 59.5 x 10”® is due to the unreli- 
ability of the computation function. 

If it is assumed that each BCU/computer (computation function) 
has 95 percent self-test effectiveness, then the computation func- 
tion can be performed by one BCU/computer if the second failure is 
detectable via self test. With an assumed 95 percent self-test 
capability the equivalent failure rate for a 2-hour mission of the 

computation function is reduced from 59.5 x 10”® to 2.98 x 10”® 
and the overall system equivalent failure rate for a 2-hour mis- 
sion is reduced from 66.21 x 10”® to 9.73 x 10”®. This yields a 
0.973 X 10”^ probability of failure per hour which meets the 
1 X 10”^ probability of failure per hour goal. 

With self test, the relative probability of failure Of the 
three basic system functions are as follows; 
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TABLE XI. - EQUIVALENT FAILURE RATE AND PROBABILITY OF 
FAILURE PER HOUR FOR TRIPLE DATA BUS SHUTTLE CONFIGURATION 


Function/sub-function 

Failure rate 
(X)%/1000 hours 

Success 

criteria 

Sub-function 
equivalent 
failure rate 
X 10“® 

Probability 
of failure 
per hour 
X 10 “8 

Sensors 




6.50862 

1. Pitch rate channel 

5,3005 

2 of 3 

1.68542 


2. Roll rate channel 

5.3005 

2 of 3 

1.68542 


3. Yaw rate channel 

5.3005 

2 of 3 

1.68542 


4. Normal accelerometer 
channel 

3.3005 

2 of 3 

0.65352 


5. Lateral accelerometer 
channel 

3.3005 

2 of 3 

0.65352 


6 . STICK accelerometer 
chemnel 

1.1005 

2 of 3 

0.07266 


7 . Control/Discrete 
channel 

1.1005 

2 of 3 

0.07266 


Computation 




59.47290 

1. Data bus 

0.0500 

2 of 3 




2. Bus control unit 

1 




•59.47290 


3 . Computer 

1 

1 

> 31.5 

2 of 3 

4 



4 . Memory 

J 





Actuation 




0.2372 

1. Multiplex/demultiplex 
and secondary actuators 

See success 
path diagram 

See success 
path diagram 

0.0002 


2. Right elevon actuator 
channel 

n 

11 

0.0474 


3. Left elevon actuator 
channel 

II 

II 

0.0474 


4. Right elevon actuator 
chahnel 

II 

II 

0.0474 


5. Left elevon actuator 
channel 

It 

II 

0.0474 


6. Rudder - elevon actuator 
channel 

II 

II 

0.0474 


Totals 




66.21892 
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o Sensor function 
o Computation function 
o Actuation function 
Total for system 


6,50862 X 10 
2.98489 X 10”® 
0.2372 X 10~® 
9.7307 X 10"® 


Additional computational redundancy such as analog backup 
can only result in the total system probability of failure chang- 

— 8 “8 

ing from 9.73 x 10 to approximately 6.75 x 10 . Any sub- 

stantial further increase in system reliability would require 
additional sensor function redundancy. 

Triple data bus and quadruple computer shuttle configuration . - 
One of the advantages of the triple-data bus configuration is its 
flexibility with respect to configuration change; for example, 
it would not be difficult to add a fourth computer, as shown in 
the functional block diagram of Figure 44 . With a fourth com- 
puter the probability of failure per hour would be reduced to 

“ 8 

approximately 10.606 x 10 .A comparison at the function 
level is as follows : 



“ 8 

Probability of failure per hour x 10 

Function 

Configuration with 
triple computers 

Configuration with 
quadruple computers 

Sensor 

6.509 

6.509 

Computation 

59.473 

3.860 

Actuation 

0.237 

0.237 

Totals 

66.219 

10.606 


With self test (95 percent) or analog backup for the comp- 
utation function, the probability of failure per hour will 

approach 6.8 x lO"'^ with the liinit due to sensor and actuator 
xinreliability . 


Quadruple Channel 

Commercial transport configuration . - The success path 
diagram for the quadruple commercial transport configuration is 
shown in Figure 55. The equivalent failure rate is STommarized 
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SENSOR 


•COMPUTATION 


ACTUATION 


4 OF 6 4 OF 6 



• ALL FAILURE RATES ARE IN TERMS 
OF PERCENT PER 1000 HOURS 

• ALL PROS OF FAILURE PER HOUR XIO’8 
ARE BASED ON A 2 HOUR MISSION 


Figure 55. 


Commercial Transport Configuration 
Success Path Diagram 
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in Table XII, The equivalent failure rate (2"hour mission) is 

approximately 0.35 x 10“® failures per flight hour. This equals 
a probability of failure per flight hour of approximately 0.35 x 
10 “ 8 . Since the equivalent failure rate of the computation func- 
tion for a 2 of 4 operational redundancy configuration is small 
compared to the actuation function (0.11 x 10“® versus 0.24 x 10“®) 
the resulting probability of failure, if a 95 percent self-test 
capability in the computation function is used to increase the 
redundancy to a 1 of 4 computation redundancy, will approach the 
probability of loss of the actuation function or approximately 
0.24 X 10“® per flight hour. In other words, the system opera- 
tional reliability gain by considering the self-test capability 
of the computation function is very minimal in this case. 

The probability of failure in a 2-hour period is approxi- 
mately equal to 


2 X 0.3495 X 10 ® = 0.6990 x 10“® 


The probability of failure per hour = 


0.6990 X 10~® 
2 


0.3495 X 10 ® 


If the self-test capability of the digital computation func- 
tion is utilized to operate with 1 of 4 when the third failure is 
detected with self test, the equivalent failure rate of the comp- 
utation function becomes very small with respect to the actuation 
function and assuming a 95 percent self-test capability yields a 
system probability of failure per hour of approximately 0.2388 x 

10“®. Probability of the loss of the actuation function is 
approximately 0.2372 x 10 per flight hour. 


Quadruple data bus shuttle configuration 
probability of failure calculations 

The success path diagram for the quadruple data bus Shuttle 
configuration is similar to that in Figure 53, except the sensor 
and computation functions are represented by four parallel paths . 
The derivation of the configuration reliability rating is s\im- 
marized in Table XIII. The equivalent failure rate (2-hour 

mission) is approximately 0.29 x 10 ® failures per flight hour. 
This equates to a probability of failure per flight hour of 

approximately 0.29 x 10 . 
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TABLE XII. - DERIVATION OF QUADRUPLE COMMERCIAL 
TRANSPORT CONFIGURATION RELIABILITY 
RATING 


Function/sub-function 

Failure rate 
(X)%/1000 hours 

Success 

criteria 

Sub-function 
equivalent 
' failure rate 

X 10-8 

Probability 
of failure 
per hour 
X 10-8 

Sensors 




0,001388 

1. Rate gyro 

5.2 ■ 

4 of 6 

0.001124 


2. Accelerometers 

3.2 

4 of 6 

0.000262 


3. Stick 

1.0 

2 of 4 

0,000002 


Computation 

41.12 

2 Of 4 


0.111039 

1. Interface unit 





2 . Mode control 

41.12 

2 of 4 

0.111039 


3 . CPU 





4 . Memory 





Actuation 




0.2372 

1. Right elevon secondary 
actuator and in-line 
monitor 

4.46 

1 of 3 

0.000035 


2 . Left elevon secondary 
actuator and in-line 
monitor 

4.46 

1 of 3 

0.000035 


3. Right aileron secondary 
actuator and in-line 
monitor 

4.46 

1 of 3 

0.000035 

\ ■ ■ 


4. Left aileron secondary 
actuator and in-line 
monitor 

4.46 

1 of 3 

0.000035 


5. Rudder aileron secondary 
actuator and in-line 
monitor 

4.46 

1 of 3 

0.000035 


6 . Right elevon power 
actuator 

1.54 

1 of 2 

0.0474 


7. Left elevon power 
actuator 

1.54 

1 of 2 

0.0474 


8. Right aileron power 
actuator 

1,54 

l„of 2 

0.0474 


9. Left aileron power 
actuator 

1.54 

1 of 2 

0.0474 


10, Rudder aileron power 
actuator 

1.54 

1 of 2 

0.0474 


Totals 




0.3495 
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TABLE XIII. - EQUIVALENT FAILURE RATE AND PROBABILITY OF 
FAILURE PER HOUR FOR THE QUADRUPLE DATA BUS SHUTTLE CONFIGURATION 


Function/sub- function 

Failure rate 
: (X)%/1000 hours 

Success 

criteria 

Sub-function 
equivalent 
Failure rate 

X 10“8 

Probability 
of failure 
per hour 

X 10 "® 

Sensors 




0.000834 

1 . Pitch rate channel 

5.3005 

2 of 4 

0.0002-38 


2. Roll rate channel 

5.3005 

2 of 4 

0.000238 


3. Yaw rate channel 

5.3005 

2 of 4 

0.000238 


4. Normal acceleromater 
channel 

3.3005 

2 of 4 

0.000058 


5. Lateral accelerometer 
channel 

3.3005 

2 of 4 

0.000058 


6. STICK accelerometer 
channel 

1.1005 

2 of 4 

0.000002 


7. Control/discrete 
channel 

1.1005 

2 of 4 

0.000002 


Computation 




0.050009 

1. Data bus 

0.0500 

2 of 4 




2. Bus control unit 

1 



- 0.050009 


3 . Computer 

> 31.5 

2 of 4 

* 



4 . Memory 

J 




Actuation 




0.2372 

1. Multiplex/demultiplex 
and secondary actuators 

See success 
path diagram 

See success 
path diagram 

0.0002 


2, Right elevoH actuator 
channel 


II 

0.0474 


3. Left eleven actuator 
channel 

n 

II 

0.0474 


4 . Right eleven actuat&f” ' 
channel 


11 

0.0474 


5 . Left eleven actuator 
channel 


II 

0.0474 


6. Rudder eleven actuator 
channel 

M 

II 

0.0474 


Totals 




0.288043 
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Since the probability of failure for the computation function 
is already small (0.05 x 10“^), the resulting probability of fail- 
ure, with either a 95 percent computation self-test capability or 
an analog backup system, is negligible in comparison with the prob 
ability of failure for the actuation function; and therefore, the 
total system probability of failure approaches that for the actua- 
tion function alone (0.24x10“®). 


Reliability Summary 

The first column in Table XIV shows the probability of fail- 
ure per hour for each configuration assiaming comparison monitor- 
ing only. For comparison monitoring at least two redundant 
channels must be operating. If less than two redundant channels 
are operating the system will turn off (fail-safe) . From the 
first column in Table XIV, both the quadruple channel commercial 
transport and quadruple data bus Shuttle configuration exceed the 

1 x 10 probability of failure per hour goal (both having an 
estimated probability of failure per hour approximately 0.03 x 

10 - 7 ) . 


The estimated probabilities of failure per hour for the 
other two configurations do not meet the 1 x 10“^ goal. The 
triple-data bus Shuttle configuration has an estimated probability 
of failure per hour of approximately 6.6 x 10“^ and the improved 
research vehicle configuration has an estimated probability of 
failure per hour of approximately 10.7 x 10“^. 

The second column in Table XIV provides the probability of 
failure per hour for each configuration if a self-test capability 
of the digital computation function (central processor unit, 
memory and input/output circuitry) is provided to enhance the 
redundancy of the computation section. A 95 percent self- test 
capability was used for these calculations. As shown in Column 
2, both the improved research capability and Space Shuttle data 
bus configurations essentially meet the operational reliability 
goal with estimated probabilities of failure per hour of 1.15 x 

10“”^ and 0.97 x 10“^, respectively. 

The above results are in accord with the NASA reliability 
goal and with the conclusions concerning reliability from other 
studies such as Stanford Research Institute studies reported on 
in ref. 25. 
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TABLE XIV. - F-8C DIGITAL FLY-BY-WIRE FCS 
SUMMARY OF CONFIGURATION OPERATIONAL RELIABILITY 
(EXCLUSIVE OF ANALOG BACKUP) 



Probability of failure per hour x 10 ^ 

Configuration 

Comparison monitoring 

Comparison monitoring and 95% 
self test in digital I/O, CPU 

Improved 

Research 

Vehicle 

10.777 

1.153 

Triple-data bus 
Shuttle configuration 

6.622 

0.973 

Quadruple-channel 
commercial transport 

0.035 

0.024 

Quadruple-data bus 
Shuttle configuration 

0.029 

0.024 


MAINTAINABILITY PREDICTIONS 


Mean Time Between Maintenance Action 

Predictions of the mean time between maintenance actions 
(MTBMA) for the four F-8C configurations are provided in Tables 
XV - XVIII. These estimated MTBMAs range from 315 to 410 hours. 


Maintenance Man Hours Per Flig^it Hour 

The maintenance man hours per flight hour are the product 
of the failure rate and the mean time to repair (MTTR) . The 
estimated failure rates (Tables XV - XVIII) for the four con- 
figurations range from approximately 0.025 to 0.040 . 

If the maintenance man hour per flight hour goal of 0.02 were to 
be met, the mean time to repair the system would have to be less 
than 0.5 to 0.8 man hour. It is judged that achievement of this 
MTTR would be possible only with the use of automatic test equip 
ment (ATE) . 

For a single flight test system as in the F-8C DFBW program 
use of ATE would not be cost effective. With manual test equip- 
ment a MTTR of approximately 5 hours has been found appropriate 
by Honeywell for similar flight control systems. Using manual 
test equipment, the resulting maintenance man hours per flight 
hour could be expected to be in the range of 0.12 to 0.20. 
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TABLE XV. - IMPROVED RESEARCH VEHICLE 
CONFIGURATION FAILURE RATE 


Item 

Quantity 

(N) 

mm 

N X 

Rate gyro 

9 

5.0 

45.00 

Accelerometer 

6 

3.0 

18.00 

Stick 

3 

0.8 

2.40 

I.U. 

3 

15.86 

47.58 

CPU 

3 

23.50 

70.50 

AP+SA 

15 

0.88 

13.20 

Secondary accelerometer 

15 

2.08 

31.20 

Power actuator 

10 

1.54 

15.40 

Mode control panel 

1 

1.76 

1.76 


Total series X = 


245.04 %/KH 


MTBMA = 408 hr. 



TABLE XVI. - TRIPLE-DATA BUS SHUTTLE 
CONFIGURATION FAILURE RATE 


Item 

Quantity 

(N) 

X 

(%/KH) 

N X 

Rate gyro 

9 

5.00 

45.00 

Accelerometer 

6 

3.00 

18.00 

Stick 

3 

0.80 

2.40 

MDM 

9 

10.00 

90.00 

SSIB-1 

21 

0.50 

10.50 

SSIB-2 

6 

0.30 

1.80 

Data bus 

3 

0.05 

0.15 

BCU 

3 

8.00 

24.00 

CPU 

3 

23.50 

70.50 

Control panel 

3 

0.60 

1.80 

Secondary actuator 

15 

2.46 

36.90 

Power actuator 

10 

1.54 

15.40 


Total series X = 
Total MTBMA = 

316 hr. 

316.45 
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TABLE XVII. - COMMERCIAL TRANSPORT 
CONFIGURATION FAILURE RATE 


Item 

Quantity 

(N) 

X 

(%/KH) 

N X 

Rate gyro 

6 

5.0 

30.00 

Accelerometer 

6 

3.0 

18.00 

Stick 

4 

0.8 

3.20 

I.U. 

4 

15.86 

63.44 

CPU 

4 

23.50 

94.00 

AP+SA 

15 

0.88 

13.20 

Secondary actuator 

15 

2.08 

31.20 

Power actuator 

10 

1.54 

15.40 

Mode control 

1 

2.40 

2.40 


Total series X = 


270.84 %/KH 


Total MTBMA = 

368 hr. 



TABLE XVIII. - QUADRUPLE DATA BUS SHUTTLE 
CONFIGURATION FAILURE RATE 


Item 

Quantity 

(N) 

X 

(%/KH) 

N X 

Rate gyro 

12 


60.00 

Accelerometer 

8 


24.00 

Stick 

4 


3.20 

MDM 

12 


120.00 

SSIB-1 

28 


14.00 

SSIB-2 

8 


2.40 

Data bus 

4 

0.05 

0.20 

ECU 

4 


32.00 

CPU 

4 


94.00 

Control panel 

3 

0.60 

1.80 

Secondary actuator 

15 

2.46 

36.90 

Power actuator 

10 

1.54 

15.40 


Total series X = 


403.90 %/KH 


Total MTBMA = 

247.6 hr. 
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The following costs used in the tradeoff are best engineer- 
ing estimates based upon recent Honeywell experience in configuring 
flight control and data bus systems. They have not been reviewed 
nor approved by Honeywell production or pricing departments and 
should not be construed to represent either present or future 
Honeywell component prices. 


COST SUMMARY 


Cost of Improved Research Vehicle Configuration 


(3) 

Control 

panels 


$ 15 

000 

(3) 

APlOl 

$87 

000 

261 

000 

(3) 

Interface unit $50 

000 

150 

000 

(9) 

Rate gyros 

$ 1,000 

9 

,000 

(6) 

Accele'rometers 

$ 1,000 

6 

,000 

(3) 

Analog 

electronics 

$10 000 

30 

000 

(5) 

Secondary actuator mods 

30 

000 





$501 

000 


Cost 

of Triple-Data Bus Shuttle 

Configuration 

(3) 

Control 

panels 


$ 15 

000 

(3) 

APlOl 

$87 000 


261 

000 

(3) 

ECU 

40 000 


120 

000 

(9) 

,MDM . 

25 000 


225 

000 

(9) 

Rate gyros 

$ 1,000 

9 

,000 

(6) 

Accelerometers 

1,000 

6 

,000 

(3) 

Analog 

electronics 

10 000 

30 

000 

(5) 

Secondary actuator mods 

30 

000 


(Including improved 

valves) 







$696 

000 
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Cost of Quadruple Commercial Transport Configuration 


(3) 

Control panels 


$ 

15 000 

(4) 

APlOl 

$87 000 


348 000 

(4) 

Interface unit 

50 000 


200 000 

(6) 

Rate gyros 

$ 1,000 


6,000 

(6) 

Accelerometers 

1,000 


6,000 

(1) 

Quadruple stick and 
rudder pedal 



10 000 

(4) 

Analog electronics 



40 000 

(5) 

Secondary actuator mods 


30 000 


Aircraft mods for 4 

channels 


200 000 




$“ 

855 000 


Cost of Quadruple 

Data Bus Shuttle Configuration 

(3) 

Control panels 


$ 

15 000 

(4) 

APlOl 

$87 000 


348 000 

(4) 

ECU 

40 000 


160 000 

(12) 

MDM 

25 000 


300 000 

(12) 

Rate gyros 

$ 1,000 


12 000 

(8) 

Accelerometers 

1,000 


8,000 

(1) 

Quadruple stick and 
rudder pedal 



10 000 

(4) 

Analog electronics 



40 000 

(5) 

Secondary actuator mods 


30 000 


Aircraft Mods for 4 

channels 


200 000 




$r 

123 000 
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Configuration Tradeoff 


The results of summing up the calculated/estimated values 
for the four chosen parameters are shown in Tables XIX and XX. 

It is immediately apparent that the total spread of ratings is 
small, and that for the top three the variation is so small as 
to be obviously within the tolerance of the tradeoff procedure. 
This does not necessarily mean there is no valid choice to be 
made. Previous experience in evaluations of this sort has shown 
that it is not unusual for cases having the same figure of merit 
to exhibit dissimilarity in terms of desirability when the indi- 
vidual factors are considered. In this case it can be seen that 
while reliability and maintainability tend to cancel each other 
their total effect is small. The two powerful but compensating 
factors are cost and application to Shuttle. It is apparent that 
if either of these factors were weighted by 2.0 instead of 1.0 
there would then be a significant difference in the total rating. 


Considered in that light, the tradeoff can give valid guidance 
as to the choice of a configuration-to-wit if cost and application 
to Shuttle are really of equal importance then some factor not in- 
cluded in the original tradeoff, say schedule, can become the de- 
ciding factor. On the other hand if after further consideration, 
a difference in the relative importance of cost vs . application 
to Shuttle develops, the total ratings will change and the choice 
will be obvious. At the very least the tradeoff procedure has 
served to emphasize the critical fa ctors and focus attention on 
them. 


TABLE XIX. - CONFIGURATION TRADEOFF 


Candidate 

Configuration 

Cost 

Reliability 

Maintainability 

Application 
to Shuttle 

Total 

Rating 

Iitproved research 
vehicle configuration 

10 

8.0 

2.5 

6 

26.5 

Triple-channel data 
bus Shuttle 
configuration 

7.2 

8.25 

1.94 

9 

26.39 

Quadruple-channel 
commercial transport 
configuration 

5.85 

10 .0 

2.25 

5 

23.1 

Quadruple- channel 
data bus Shuttle 
configuration 

4.46 

10.0 

1.51 

10 

25.97 
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TABLE XX. ~ SUGGESTED RANKING FOR F-8C DFBW CONFIGURATIONS 


Configuration 

Score 

Major advantage 

Potential disadvantage 

In^roved research 
vehicle configuration 

26.5 

Low cost 

Limited application to 
Shuttle 

Triple- channel data 
bus Shuttle 
configuration 

26.39 

Applicable to 
Shuttle 

High cost 

Quadrup le- ch anne 1 
commercial transport 
configuration 

23.1 

Reliability /cost 
ratio good 

Limited application to 
Shuttle 

Quadruple-channel 
data bus Shuttle 
configuration 

25.97 

Most applicable 
to Shuttle 

Highest cost 
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SECTION 8 


CONCLUSIONS AND RECOMMENDATIONS 


The major objective of this study was to develop conceptual 
designs of DFBW control systems for use in the last phase of the 
NASA F-8C DFBW program. A comparison of four such designs, all 
meeting the basic reliability goal, has been presented in pre- 
ceding sections. In addition, considerable detail has been 
presented on other features of DFBW system design, with parti- 
cular emphasis on the performance of the secondary actuators . 

This section is confined to general conclusions and recom- 
mendations, presented in approximate order of significance. 

1) A basic crossfed triple-redundant configuration will 

not meet the failure probability goal of less than 1.0 

X 10 failures per flight hour. Additional monitor- 
ing or redundancy in the sensor or computer sections 
must be added to meet the goal; for example, the 
addition of 96 percent self-check capability to the 
computer section will suffice. Note that the servo- 
actuators, due to inline monitoring, already have 2- 
fail-op capability whereas the triple sensors or 
computers without the self-check feature have only 
1-fail-op capability, and thus are the weaker links. 

In the cases considered, the addition of a data bus to 
the triple configuration caused a small ( 35 percent) 
decrease in failure probability; for the quad config- 
uration there was essentially no effect. Thus, it 
appears that the effect of the use of a data bus will 
depend on the specific application, and the decision 
will probably be based on factors other than failure 
probability. The desirability of a data bus for the 
NASA F-8C DFBW program is discussed in item 3 below. 

For the purposes of the NASA F-8C DFBW program, a 
triple configuration with a high degree of self-check 
capability would seem most suitable. The use of 
in-line self-check is considered important because 
the effectiveness of this feature in decreasing 
failure probability - without completely duplicating 
computers - will cause it to be used extensively in 
future systems. In this particular case the exact 
amount of self-check (and decrease in failure prob- 
ability) capability is not critical because of the 
presence of a backup control system (BCS) and the 
experimental nature of the program. The data of 
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Figures 48 through 50 show clearly that the inclusion 
of the BCS will lower the failure probability to a 
satisfactory level for all cases. Further, in a test 
program a flight can be aborted at the first failure 
indication, and thus essentially preclude the occurrence 
of additional failures. 

2) The secondary actuator hysteresis must be decreased to 
below 0.1° surface motion in the primary digital mode 
in order for the F-8C DFBW FCS to be effective in ad- 
vanced control law research. The basic reason for 
excessive actuator hysteresis in the Phase I configura- 
tion is inadequate ratio of force gain to static fric- 
tion. This ratio can be improved by replacing the 
electrohydraulic valves and modifying the drive elec- 
tronics. The addition of well designed in-line servo 
loop monitoring would provide 2-fail-op servo charac- 
teristics and prevent the servo area from being the 
limiting factor in reducing system failure probability. 
The suggested servo modifications would also increase 
servo bandwidth which in turn would improve overall 
performance in CCV operations . 

3) The configuration considered to be most effective for 
aiding the Shuttle flight control development is that 
labeled "Triple Redundant Shuttle". (Obviously, the 
"Quad Redundant Shuttle" configuration would more 
closely resemble the actual Shuttle arrangement, but 
cost and installation factors preclude its use for the 
F-8C program.) This triple configuration with either 
actual or simulated (in hardware) bus interface elec- 
tronics would provide valuable experience in the use 
of data buses for flight control signal transmission 
and would represent fairly well the Shuttle FCS as it 
will be configured after one failure. If the sensor/ 
computer/servo buses are not used, the I/O processing 
(whether in the AP-101 or in interface units) will be 
significantly different from that of the actual 
Shuttle FCS. This means that the housekeeping rou- 
tines will be different from Shuttle, thus, little of 
the experience will be directly applicable. On the 
other hand, computer synchronization methods, sensor/ 
servo failure detection programs and computer self- 
check routines could be evaluated with a non-data bus 
system, depending on the degree to which actual 
Shuttle software can be used. Overall, it would seem 
that, inasmuch as the major new area in the Shuttle 
FCS design is the very sophisticated data bus config- 
uration, a data bus system would be desirable if at 
all feasible in terms of program cost and schedule. 
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4) 


It does not appear feasible or really necessary to 
modify the F-8C secondary and/or surface actuators to 
closely resemble those of the Shuttle. Electrohydrau- 
lic actuators and their use in flight control systems 
represent a mature technology. Assuming that the 
Shuttle actuator design follows good design practice, 
the actuators should not be a critical factor in the 
development of the Shuttle flight control system, 
particularly in regard to redundancy management. 

5) Reconfigurable computer technology, in its current 
(mid-1974) state of development does not appear 
applicable to the design of practical fault-tolerant 
aircraft control systems. This is probably more a 
result of timing than of any fundamental factor. The 
recent NASA-funded studies have been concerned with 
the formulation of basic concepts and the development 
of analytical tools and have not yet reached the stage 
of designing particular arrangements which can be 
applied to existing computers . 

It may be worthwhile noting, however, that one of the 
concepts receiving considerable attention is that of 
detecting and compensating for "transient failures". 

The significance of techniques for transient failure 
compensation depends, of course, on the prevalence of 
transient failures? there is little specific data on 
this, but experience with Honeywell-designed mature 
digital equipment does not indicate a significant 
occurrence. Nevertheless, it is suggested that if any 
data is available that indicate an appreciable occur- 
rence of transient failures in well-designed digital 
equipment, additional research to evaluate and quantify 
the prevalence of such failures should be run parallel 
to further analytical studies of transient failure 
compensation techniques. 
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APPENDIX A 


F-8C SERVO ACTUATOR RESPONSE REQUIREMENTS 


Current studies under contract NAS 1-12680, "Digital CCV 
Flight Control Laws" have investigated pitch control laws for 
the following flight conditions : 


Altitude 

(Meters) 

Altitude 

(ft) 

Mach 

Weight 

(lb) 

Weight 

(KG) 

CG(%c) 

Short Period 
g per degs 

0 

0 

0.189 

19 999 

9090 

36 

0.17 

0 

0 

0.300 

20 600 

9363 

29 

0.30 

0 

0 

0.530 

20 600 

9363 

29 

0.72 

0 

0 

0.700 

20 600 

9363 

29 

1.3 

3048 

10 000 

0.800 

20 600 

9363 

29 

1.1 

6096 

20 000 

0.400 

20 600 

9363 

29 

0.23 

6096 

20 000 

0.600 

20 600 

9363 

29 

0.46 

6096 

20 000 

0.670 

20 600 

9363 

29 

0.59 

6096 

20 000 

0.900 

20 600 

9363 

29 

0.99 

12192 

40 000 

0.700 

20 600 

9363 

29 

0.25 

12192 

40 000 

0.900 

20 600 

9363 

29 

0.45 

12192 

40 000 

1.200 

20 600 

9363 

29 

0.26 

In 

addition. 

the above 

conditions 

have 

also been 

studied 


for aft eg locations up to 48 percent of c. For all cases, a 
secondary (driver) servo second-order characteristic having an 
undamped natural frequency of 10 hz and a damping ratio of 0.7 
was assumed, and a first-order power actuator with a time 
constant of 0.08 sec was assumed. These characteristics 
correspond to the Honeywell understanding of prevailing airplane 
equipment . 

The conventional control laws synthesized to date employ 
combinations of normal acceleration and pitch rate as elevator 
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Appendix A 


feedback quantities. No special bending filters have been 
applied, nor have any lead compensation elements been used to 
effectively increase actuator bandwidth. Although the latter 
does constrain attainable control loop bandwidth to some extent, 
the current actuator performance in the linear regime has not 
been a major detriment towards attainment of good fly-by-wire 
perfomance over the anticipated flight envelope. Fxirthermore , 
it is questionable whether actuator bandwidth extension would 
afford material performance benefits, considering the added 
constraints of structural mode stability. 

It is evident from the above flight condition set that the 
higher dynamic pressures are not included (above 725 psf) (30.6 
KG/m^) , particularly those at supersonic conditions having higher 
short-period frequencies and lower damping. Thrust limitation 
is presumably the reason. Should more stringent cases be imposed, 
however, system compensation which avoids higher gains over 
structural mode frequencies would appear preferable to simple 
extension of actuation bandwidth. Figure Al illustrates a 
simple pitch damper in three configurations applied to a higher 
q flight condition. Configuration A with no shaping is unable 
to achieve 0 . 35 damping with prevailing servoactuator character- 
istics. Configuration B adds phase-lead compensation which 
brackets the short-period frequency. Configuration C adds lead- 
lag shaping which effectively produces an actuator break 
frequency of 30 rad/sec. Both B and C achieve 0.35 damping, but 
C has about twice the loop gain at the higher frequencies . 

From the analysis which has been done on servoactuator 
non linearities such as hysteresis, it is evident that state-of- 
the-art actuator performance is necessary to achieve satisfac- 
tory performance levels. This is considered to correspond to 
magnitudes of nonlinearities below 0.05° of equivalent elevator 
deflection. With elevator effectiveness in excess of 1 g per 
degree at the higher dynamic pressures, control resolution is a 
concern for normal eg location; and with an unstable airframe, 
limit cycle amplitudes within the 0.05 g level are required. 
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APPENDIX B 


ANALYSIS OF SECONDARY ACTUATOR FORCE GAIN 
INCREASE WITHOUT CHANGING SERVO VALVES 


The inadequate force gain may be improved by increasing 
piston area by "reboring" the cylinder and fitting with a new 
piston or reducing the rod size. This rework can only provide 
a 20 to 25 percent increase in piston area, without severely 
limiting output velocity, and consequently, is not effective 
where more substantial changes are necessary. If we assume that 
total static friction in the roll axis (the worst case) is as 
high as 200 lb (90.9 KG), then to meet the suggested 0.1° hys- 
teresis limit and with the present mistrack tolerance (1.5° 
assumed) , the secondary actuator piston area needed may be de- 
termined from Figure Bl. 



Figure Bl. Large Area Secondary Actuator 
Output Force vs. Peak-to-Peak 
Hysteresis NASA F-8C Roll Axis 
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Here we have assumed that we must meet the hysteresis re- 
quirement with two channels operating (one failure) — note that 
the single- channel force output at the 1.5° mistrack limit is 
1500 lb (681.8 KG). If no changes were made in the AP sensor 
setting (1200 psi) (84.54 KG/cm^) , actuator area would have to 
be 1.25 sq. inches (8.08 cm^) and Kv (column G, Figure 20) would 
be reduced to 0.80. In order to maintain a loop gain of 57.4 
rad., Ka (column D, Figure 20) would need to be increased accord- 
ingly, or from 44,3 to 291.7 ma/v. Unfortunately, this increases 
the stiffness as well, and thus, there is no net improvement. 

One compromise that might be attempted is to increase the 
AP limit — if doxabled (2400 psi) (169 KG/cm^) , actuator area would 
only need be 0.625 sq. in. (4.03 cm^) , and gains could be adjusted 
accordingly. However, analysis shows that the critical factor in 
achieving satisfactory force output and tolerable mistrack compa- 
tibility is the servovalve flow gain to pressure gain ratio. Un- 
fortunately, with the present system, little can be done to alter 
this . 


However, close examination of the factors involved indicates 
that there is a way to lower (or raise, for that matter) the 
effective pressure gain of the servovalve. This can be done by 
feeding back a signal from the AP sensor to the servoamplifier 
input (Figure B2) . 



Figure B2. Pressure Feedback System 
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Examining the valve characteristics for the single stage 
servovalve closely, it is noted that the present valve has a 
maxim\jm flow capacity of 0.177 gpm (.67 liter per minute), or 
0.682 cubic inches per second (11.18 cmvsec) . If the minimum 
allowable actuator velocity is 2.0 in/sec (5.08 cm/sec), then the 
piston area we could use would be 0.341 square inches (2.2 cm^) . 
Unfortunately, this requires severe modifications to the actuator 
body or piston rod and does not appreciably affect force gain, so 
unless the EHV is replaced, little can be done to overcome the 
present static friction loads. 

Note that the relatively low loop gains, combined with the 
low pressure gains in the backup channels, produce low force 
gains in those same modes (re: "stiffness" column 0, Figure 20). 

It is those low force gains which are necessary for the opera- 
tion of a system of this type that are the source of most of the 
trouble 1 

Because of component non-linearities and tolerances, no two 
servo cylinder channels are identical — and some provision must 
be made to allow the redundant actuator to "live with" those non- 
identities. In this secondary actuator design, it is the low- 
pressure gain of the servovalve (and the resulting low-channel 
stiffness) that allows this. When all three channel servocylin- 
ders are rigidly connected (or "force-summed") the output posi- 
tion of all are forced to be identical. If any one channel 
should disagree with the others, the resulting error will cause 
that channel to produce a force, and if there are no loads on 
the actuator, that force will cause the other channels to reposi- 
tion themselves until they produce an equal and opposite counter- 
acting force. 

When the sum of all the actuator channel forces is zero, 
the actuator is in balance, and any channel errors, or "mis- 
tracks" will appear as differential pressures in each channel. 
Also, the differential pressure will be directly proportional to 
the difference between the channel's position and the average of 
all channel positions. The amount of mistrack that can be tol- 
erated in any channel, then, is inversely proportional to the 
actuator force gain. 

The basic concept assvimes that there is no load on the 
actuator; even if there were no load external to the actuator 
(which usually is not so) , there would still be some internal 
load caused by seal friction, etc. Unfortunately, this is some- 
times ignored by assuming that the output force of the actuator 
is so high that any friction or other loads are irrelevant. We 
have here a case in which this is definitely not true. 
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ANALYSIS OF SECONDARY ACTUATOR 
GAIN INCREASE BY CHANGING SERVO VALVES 


From the foregoing discussions of Appendix B, it is apparent 
that any changes to the present secondary actuator cylinder will 
also require replacement of the EHVs. Since such an extensive 

alteration would be economically impractical a better 

approach would be a system modification which would only require 
replacement of the EHVs. Acceptable characteristics for 
improved valves used in the present secondary actuator loops can 
be determined using actuator hysteresis as a basic design 
requirement. 

In order to meet the system performance requirements, the 
hysteresis limits of the actuator must be such that when oper- 
ating with a single secondary actuator channel not over 0.1° 
hysteresis (peak-to-peak) is evident with a 200-lb (90.9 KG) 
static friction load. This means that our single-channel stiff- 
ness must be at least 400 lb/0.1° (181.8 KG/0.1°), or 4000 lb/ 
degree (1818 KG/°) (compare this to the present numbers in coliamn 
0, figure 20) . In the case of the roll axis, this is equivalent 
to 121 600 Ib/in. (21761 KG/cm) , and for the pitch axis it is 
66 600 Ib/in. (11,918 KG/cm) (compare these to the numbers in 
col;omn K, figure 20) . 

Concentrating on the roll axis (because it is the worst 
case), a simple design can be accomplished as follows: 

1) With a 0.189 sq in. (1.22 cm^) piston, and mini- 
mum velocity limit of 2 in. /sec (5.08 cm/sec), the 
servovalve should have a peak flow capacity of : 

2 X 0.189 = 0.378 cu in. /sec, or 0.098 gpm (.371 
liter/min) 

2) If the present servoamplifiers are to be used (not 
necessarily desirable) , maximxm flow should occur at 
16 ma, or Kg should=0 .0236 cu in./sec/ma. (.387 cc/ 
sec/ma) 

3) Because high force gains are analogous to high loop 
gains, a loop gain of 100 rad would not be out of 
order for this system. Accordingly, if Kf, kd, and Ks 
were kept "as is:" 

kf X kd X ks X ka X kg x kv = 100 

or: 5.0 x 1.3 x 1.305 x ka x 0,0236 x 5.27 = 100 
so ka = 9 4 . 8 m.a/V 
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4) The "dry loop" gain (electrical gain only-no EHV or 
cylinder factors included) is: 

kf X kd X ks X ka = 

5.0 X 1.3 X 1.305 X 94.8 = 804.1 ma/in. (316.6 ma/cm) 

5) So for the output stiffness to be 121 600 Ib/in. 

(21761 KG/cm) the pressure gain with a 0.189 sq in. 

(1.22 cm2) piston must be: 

121 600 / 0.189 / 804.1 = 800.1 psi/ma (56 . 37 KG/cm^/ma) 

But this is only the theoretical pressure gain, and 
hysteresis of a two-stage servovalve must be included 
if realistic numbers are to be obtained. 

6) If a figure of 5 percent is used for servovalve 
hysteresis (the second stage may have added friction 
due to monitoring devices, etc.), this would amomt 
to 0.8 ma on a 16 ma valve, and the resulting 
hysteresis would be: 

0.8 / 800.1 = 0.001 inch (.0254 mm) 

which in the roll axis would be: 

0.001 X 30.4 = 0.0304°, say 0.03 

7) if 0.1° is the maximum allowed, and if the valve 
uses 0.03°, then servo loop stiffness can be allo- 
cated only: 

0.1 " 0.03 = 0.07°, 0.07 / 30.4 = 0.0023 in. (.0584 mm) 

8) And at this deflection, the output force must be at 
least the equivalent of 400 lb (181.8 KG) (because 
hysteresis is defined to be peak-to-peak) or: 

400 / 0.0023 = 173 913 Ib/in. (31123 KG/cm) 

which, with a 0.189 sq in. (1.22 cm2) piston is: 

173 913 / 0.189 = 920 174 psi/in. (25522 KG/cm^/cm) 

9) So with a dry- loop gain of 800.1, this gives a 
minimum pressure gain (kp) of: 

920 174 / 800.1 = 1150 psi/ma (81.02 KG/cm2/ma) 
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10) and, for reference, the stiffness (column 0 of Figure 
20) would be; 

173 913 / 30.4 = 5720 Ib/deg (2600 KG/deg) 

11) And the surface dry loop gain (column P) would be: 
800.1 / 30.4 = 26.32 ma/deg 

The resulting kp may seem unreasonable in view of the fact 
that the present primary channel servovalve has a kp of 2000 
psi/ma (140.9 KG/cm2/ma) , but notice that the flow gain for that 
same valve is 0.24 cu in./sec/ma — or 10 times the flow gain of 
the hypothetical valve 1 As stated earlier, it is the ratio of 
flow gain to pressure gain that governs stiffness, and in this 
regard, the present primary servovalve has a Kp of only one - 
eighth the amount indicated, or 250 psi/mal (17.6 KG/cm^/ma) 
Therefore, the present primary servovalve cannot be used to 
achieve the desired hysteresis characteristic. Figure Cl illus- 
trates the difference. 



Figure Cl. Actuator Static Friction vs, Peak-to-Peak 
Hysteresis Optimized Valve and Present 
Actuator NASA F-8C Roll Axis 
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Measured hysteresis points are indicated as well as the 
"critical design point," i.e., 200 lb (90.9 KG) of static fric- 
tion and 0.1° hysteresis. Note the effect of valve hysteresis 
in the system and why the actual valve pressure gain must be 
significantly higher in order to meet the performance requirements. 

These revised aileron axis secondary actuator loop gains 
are included in Figure C2 which permits comparison with the 
gains previously included in Figure 20. 


170 




Kp 

A 

STIFFNESS 

Kr 

KG/CM2 

cm2 

KG 

DEG 

MA 


CM 

CM 

140.9 

1,22 

2,095 

6.56 

8.45 

1.22 

1,116 

6.56 

140.9 

1.22 

3,188 

11.97 

8.45 

1,22 

1,525 

1 1.97 

81,0 

1,22 

31,138 

1 1.97 


ELECTRO ELECTRO exiFFWF^^ 
HYDRAULIC HYDRAULIC STIFI-Ntbb 

VELOCITY FORCE 
GAIN GAIN 

DEG/SEC KG KG 


MA MA 


21.08 171.8 319.2 


2.547 10,31 170 


38.44 171.8 266,4 


4.64 10.3! 127.4 


DRYLOOP 
(IN DEG) 
MA 



STIFFNESS 

LBS 

Kr 

DEG 

IN 

IN 

11,707 

16.67 

6,237 

16.67 

17,815 

30.4 

8.523 

30.4 

174,000 

30.4 



21.08 378 


2.547 22.68 374.1 


38.44 378 506,0 


4.64 22,68 280.3 


3.78 217.3 5720 


Figure C2. F-8C Secondary Actuator Loop Gains 


































































































































































































































APPEiroij; D 


FEASIBILITY OF SIMULATING 
THE SHUTTLE ACTUATlGH SYSTEM 

During the early montiia of thifi study effortj the F^SC 
progrsun emphasifi shifted toward providing support to the Space 
Shuttle FCS development* Accord! ngly^ Honeywall included this 
factor in the procesB of evaluating possible actuator arrange- 
EnentB . 


SHUTTLE ACTDATION DEFINITION 


The current Space Shuttle eleven actuation syetom is 
schematic ally portrayed in Figure Dl* 



ddBrmln»1iD[i 


Figure Dl- Space Shuttle Elevoh AhtUitttiOTi. 
System Schematic 
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Mote that this system uses a force -sumiived secondary actuator 
BiRilar to the backup chatmels of the F-3c secondaiiy actuatorj 
except that within the secondary actuator^ loechanicaX feedbaclc 
is employed to close that integration loop. Output position of 
that loop represents velocity of the surface actuator f and posi- 
tion of the surface actuator is fed back electrically via four 
LVC^s to the servo amplifiers as shown. Failure detection capa- 
bility is provided by a differential pressure transducer in each 
channel for the secondary actuator {as in the F-9c research 
Vehicle) and pressure gradients far the emiNming logic are pro- 
vided by electrohydraulic servovalves (EHVs) with severely re- 
duced pressure galn» 


ALTERNATIVES COtlSlDERED FOE SHUTTLE ACTUATOR SIMULATION 


The following four concepts were considered as possible 
alternatives for modification of the F-8c research vehicle to 
simulate the Space Shuttle actuation systemi 

1) Design and build new actuators for all three axes 
using the Shuttle concept exactly. 

2) Design and build "secondary actuator/serva valve 
packages* which would replace the servovalves and 
input linkages on the present actuators. 

3) Design and build secondary actuators to iDount on 
the present actuator assemblies j but optimized 

to drive the present servovalves through modified 
linkages * 

4) 'Modify the existing secondary actuators to operate 

in the Shuttle driver inode and mount them to 
Operate through modified linkages « 


rtODiriCATlON OF EXISTING SECONDAEr 
ACTUATOR TO SIMULATE SHUTTLE 


Of the four possible solutions indicated above ^ the last is 
considered the moat economically feasible. In addition, it 
appears to be technically feasible since the F-0C eeijondary actu- 
ator is siTidlar to the proposed Shuttle concept, except for the 
following: 
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o Four channels in the Shuttle instead of three 
in the F-8C 

o Output position represents control surface 
velocity instead of control surface position 

o Mechanical (spring) feedback on the Shuttle 

secondary actuator position instead of electrical 

o Two-stage EHVs with higher pressure gain com- 
pared to the single-stage units on the F-8C. 

In order to convert the present actuation system to a close 
approximation of the Shuttle system, solutions would have to be 
found to compensate for all these differences. The four neces- 
sary modifications are: 

1) Operate the present F-8C secondary actuators in 
a pseudo four-channel arrangement by using the 
present digital channel as a backup for the other 
three channels, or by using an electronic model 
for the fourth channel . 

2) Convert the present secondary actuator to operate 
in a mode wherein its output represents velocity. 

This is a formidable task. Thfe existing F-8C 
aileron actuation system is depicted in Figure D2. 



Figure D2. F-8C Aileron Actuation Schematic 
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Note that the surface actuator uses "moving body 
feedback" and raising the aileron requires extend- 
ing the primary actuator and retracting the 
secondary actuator. To put the secondary actuator 
in the velocity mode would require some means of 
"erasing" position from its output. One way that 
this can be done is shown in Figure D3. 


AILERON 


POSITION 
REVERSING 
LEVER 



QUAD LVDT 


SUMMING 

LEVER 


SECONDARY 

ACTUATOR 


Figure D3 . Shuttle Velocity Type Secondary 
Actuator Schematic 


In this arrangement, primary actuator position is 
"erased" from the input signal coming from the 
secondary actuator by operating a position-reversing 
lever with the primary actuator and then summing 
it with the actuator input (which is actuator 
position plus valve position) . The net result is 
that the mechanical signal at the secondary actuator 
is valve position only, or actuator velocity. 

Because the required motion is relatively small, 
the stroke of the secondary actuator should be 
reduced, and its positional loop gain increased. 

A quadruple LVDT then needs to be added to close 
the primary actuator loop. 
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3) Provide proper shaping of the electrical feed- 
back signals from the F-8C secondary actuator 

to closely approximate the effect of the mechani- 
cal feedback in the Shuttle secondary actuator. 

4) Replace the present single stage EHV's on the 
F-8C secondary actuators with improved (very 
likely two-stage) EHVs to provide more acceptable 
performance. High-pressure gain valves may be 
chosen on the basis of Shuttle compatible char- 
acteristics and pressure feedback added to obtain 
the pressure gain desired. 

An alternative to (4) might be to use the present 
backup system EHVs and modify the existing actuator 
cylinders (increase area) to achieve the necessary 
force/stroke requirements for driving the power 
cylinder servovalves. 

To adapt the F-8C secondary actuators to the Shuttle mis- 
track summing requirements other changes are necessary for the 
two alternatives in paragraph 4) above. These are described in 
detail in the following subsections. 


Use of High-Pressure Gain Valves and Pressure Feedback 
The block diagram of Figure D4 illustrates this solution. 



Figure D4. High-Pressure Gain Valves 
and Pressxire Feedback 
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In defining the pressure gain characteristics necessary 
to make this configuration function properly, it was assumed that 
(A) the maximum amount of "mistrack compatibility" (from the 
average command) needed is 1.5 percent of the total output po- 
sition, and (B) the combined effect of valve hysteresis and actu- 
ator friction could not exceed 0.10° (0.16%) peak-to-peak, or 
0.08° "slope". This amounts to an output pressure ratio require- 
ment of 18.75:1 (the mistrack pressure limit must be at least 
18.75 times the pressure equivalent of valve hysteresis and actu- 
ator friction). With the present 0.189 sq in. (1.22 cm^) actuator 
working into the equivalent of 180 lb (81.8 KG), the pressure 
required is 476.2 psi (33.5 KG/cm^) (for two channels) so mistrack 
pressure capabilities would need to be 18.75 times that amount, 
or 8928 psi (629.2 KG/cm^) . 


Modification of the F-8C Secondary Actuator Cylinder 
Area to Simulate the Shuttle Actuator 

The suggested modifications are indicated in Figure D5. 



Figure D5. Modified Secondary Actuator Cylinder 
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By modifying the present cylinder to achieve greater piston 
area/ and adding transducers to the output of the surface actua- 
tors for closing the loops as in the first solution, a reasonable 
solution was found. Using two channels to handle the equivalent 
of 160-lb (72.7 KG) friction load (friction will be reduced by re- 
ducing the piston rod diameter) , the hysteresis equivalent pressure 
could be markedly reduced. By setting the mistrack limit at 2400 
psi (169 KG/cm^) , equivalent hysteresis pressure must not exceed 
1/18.75 of that value, or 128 psi (9.01 KG/cm^) and two channels 
could handle that with 0.625 sq. in. (4.03 cm^) each. The present 
secondary actuators have a cylinder bore of 1.386 inches (1.5087 
sq in.) (9.73 cm^) , so the rod size must be reduced to 0.8837 sq. 
in. (.570 cm2), or 1.0607 diameter. 

Further considerations justified this approach; the present 
single-stage EHVs are limited to a maximum flow of 0.58 CIS (9.5 
cc/sec) , which results in a maximum velocity of the 0.625 sq in. 
(4.03 cm2) cylinder of 0.928 in./s. (2.36 cm). In the velocity 
loop, a 0.01 sec. time from neutral to maximum velocity would be 
desirable, and this would be a maximum stroke of ±0.0928 in. (2.36 
mm) The entire actuator diagram would appear as shown in Figure D6 . 


Velocity loop gain = 200 radians 

1.3 V/V 86.2 V/in (39.2V/CM) 



Control 

surface 


Figure D6. Block Diagram of Secondary Actuator Loop 
Using Modified Cylinders 
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It can be seen that all gains and voltages are probably 
within range of the present equipment; new LVDTs must be selected 
to provide the same peak voltages as the previous units. 

Several problems may be encountered when attempting to 
demonstrate operation of the Shuttle actuation system using 
existing hardware: 

1) Valve drive linkages must be adapted to provide the 
proper ratios with the existing power servovalves . 

These valves have been designed for manual operation 
with structural compensation of the dynamic load feed- 
back. Some difficulty may be experienced in mechanizing 
the electrical feedback of the dual channels. 

2) Valve drive mechanization will prove difficult, par- 
ticularly in the aileron installations. Limitations 
of the "floating body" system may excessively comp- 
licate the design. 

3) A "failure indication" pressure level of 2400 psi 
(169 KG/cm2) has been assigned; there are several 
factors which make this assvunption precarious; 

a) The backup system EHV has a rated pressure gain 
of 120 psi/ma (8.45 KG/cm"^/ma) ; it also has a 
rated current of 16 ma. Examination of the prob- 
able characteristics of a valve of this typd 
(Figure D7) will show the limitations. 

Note that the ratings are for the usual linear 
range of operation; the valve is actually capable 
of operation beyond that range, but precautions 
must be applied. In this case, 2400 psi failure 
indications would mean 80 percent "recovery" of 
the 3000 psi (211.4 KG/ cm2) system, and this leaves 
little margin for system pressure loss , 

b) It is doubtful that the present hydraulic power 
supplies can maintain 3000 psi (211.4 KG/cm2) 
without modification, particularly in the oper- 
ating mode of this concept. It must be kept in 
mind that secondary actuator displacements are 
proportional to surface actuator velocity, and 
hydraulic supply pressure drop is proportional 
to surface actuator velocity, so monitoring 
limitations occur just when failure detection is 
needed most. 
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FLOW 



Figure D7. Integrated Surface Actuator 
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c) A lower "failure indication" pressure can help 
the situation, but there are limits to this 
approach ; for example : 

If 1200 psi (84.5 KG/cm^) is selected 
for the failure power, then maximvim gross 
friction pressure available is 1200/18.75, 
or 64 psi (4.5 KG/cmM . This means that 
1.25 sq in. (8.06 cm^) are needed to handle 
the 80 lb (36.4 KG) per channel so a piston 
rod of only 0.574 in. (1.46 cm) dia is all 
that is possible. If a minimum output rod 
of 0.625 in. (1.59 cm) dia is required 
(0.3067 sq in.) (1.98 cm^) , net cylinder 
area would need to be 1.5567 sq in. (10.0 
cm^) , or 1.4082 in. (3.58 cm) dia; this 
would mean removing 0.011 in. (.28 mm) On 
a side (radial) from the cylinder wall — 
another costly operation. 

d) The single-stage, jet-pipe EHV causes another 
problem; If a "soft" failure should occur, i.e., 
open torque motor or servoamplifier , the remaining 
channels cannot create adequate flow in the jet- 
pipe receiver holes to develop sufficient pressure 
for failure indication. The only solution is to 
mechanically bias the jet-pipe to a hard-over 
(max-pressure) position, and allow the servo loop 
to drive it to center, but this results in an 
undetectable failure when the jet-pipe itself 
fails. 


While it has been shown that simulation of the Shuttle actu- 
ation system is possible with the present F-8C equipment, it is 
doubtful that a meaningful simulation would result. From the 
standpoint of actuation system design, this objective is not con- 
sidered practical. 


Simulation of Shuttle Surface Actuators 

The preceding configurations have considered various ways to 
modify the existing F-8C secondary actuators. Improved vehicle 
control may also be accomplished by replacement or modification 
of the existing surface actuators. 

Figure D8 presents an arrangement for converting the existing 
surface actuators to an integrated actuator design. The existing 
actuator would be modified with an adapter manifold mounting new 
three-position engage valves, pilot valves, and electrohydraulic 
control valves. 
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CHANNEL COMMAND SIGNALS 
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Figure D8 . Integrated Surface Actuator 
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This arrangement could be operated either in a triple-fail- 
operative or dual-fail-operative mode with backup. In the first 
case, it would be compatible with a quadruple redundant digital 
coniputation configuration and the second application would be 
consistent with a three-channel primary control system having a 
single-channel backup. 

This configuration offers the significant advantages in- 
herent in the integrated approach of reduced weight (secondary 
actuators are eliminated), fewer parts, higher reliability, and, 
in addition, an increased dynamic performance capability. Its 
primary disadvantage is the time-critical switching required in 
some failure modes. 

Another proposed surface actuator configuration based upon 
modification of the existing F-8C surface actuator is shown in 
Figure D9. This configuration is intended to closely approximate 
the mechanical design of the Space Shuttle surface actuator. It 
requires fabrication of a manifold, spool and driver actuator 
assembly that can be mo\inted directly to the surface actuator. 

It provides a four-channel, low-force-gain integral driver for 
dual fail operative use. 

This arrangement would provide insight into Shuttle actuator 
performance and monitoring techniques. Failure switching is non- 
time critical. Quadruple channel computation is required for 
compatible signal and monitoring. The driver actuator hysteresis 
is a very critical parameter. Obviously, the modification itself 
is complex and provision of a backup would be very complicated. 

The estimated cost and complexity of these modified surface 
actuator configurations is sufficiently greater than that for 
modification of the secondary actuators such that they have not 
been considered in any of the candidate configurations . 


Engage Valve Alternates 


The largest consumers of electrical power in the actuation 
system are the solenoid valves in the actuator engage system. 

These solenoid valves require approximately one ampere per valve 
to maintain engagement. The basic engage valve system (and the 
associated servoactuator components) for channels 3 and 4 of 
the present secondary actuator are arranged as shown in Figure DIO. 
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CHANNEL COMMAND SIGNALS 


DRIVER 
ACTUATOR 
MOUNTED ,<0^ I 
ONTO* ■ 



CONVERT EXISTING SURFACE ACTUATORS 
TO SHUTTLE INTEGRATED SYSTEM 

FOUR CHANNEL, LOW FO^CE GAIN 
INTEGRAL DR'IVER FOR DUAL FAIL OP 


ADVANTAGES 

PROVIDES DUAL FAIL OP 
INCREASES DYNAMIC PERFORMANCE 
OF SURFACE ACTUATOR 
DUPLICATES SHUTTLE SYSTEM 
FAILURE SWITCHING NON-TIME CRITICAL 


DISADVANTAGES 

DRIVER HYSTERESIS CRITICAL 
FOUR CHANNELS REQUIRED 
BACK UP ADDITION COMPLEX 


Figure D9. 


Simulated Shuttle Surface Actuator 
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Figure DIO. Engage Valve and Solenoid 
Valve System Servoactuator 


In this arrangement, a spool-type valve with a return spring 
is used to bypass the servocylinder when in the "disengaged” posi- 
tion. When the solenoid in the solenoid valve moves the valve 
ball to the right it admits fluid from the pressure line into the 
right end of the engage valve and forces the spool to the left. 
This causes the EHV *to be connected to the servocylinder and oper- 
ation of the actuator can begin. 

In this case, the culprit is the solenoid valve; for the 
only flow passing through the solenoid valve is the pilot pres- 
sure needed to move the spool in the engage valve. The flow- 
handling capacity of the solenoid valve can easily be determined 
by the valve spool diameter and stroke and the switching period 
necessary for acceptable engage/disengage transients. 

With only this pilot valve flow needed by the solenoid, a 
more efficient solenoid valve can be used. This device is an 
adaptation of the EHV torque mo tor and nozzle-flapper system 
(Figure Dll) . 
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Flow- 


Flapper 


Figure Dll. Nozzle-Flapper Engage Valve System Schematic 

With no current in the torque motor, flow from the pressure 
line is limited only by the orifice. When the torque motor is 
energized, it pulls the flapper firmly against the nozzle, and 
all flow is directed into the spool valve chamber, where, as 
pressure builds up, it moves the spool to the left. In the 
engaged mode, there is no flow through the orifice, but there is 
a small leakage flow (about 0.3 cis on 4.92 cc/sec) through the 
orifice during the disengaged mode. 

If this system is applicable, engage valve current can be 
reduced to less than 10 ma (from the present 1-2 amperes) per 
channel. Feasibility is determined by engage spool sizing, and, 
depending upon relative costs, engage valve spool redesign can 
reduce those requirements substantially. In the configuration 
shown in Figures DIO and Dll, which are identical to those shown 
in the Hydraulic Research, Inc. schematic, an excessive amount 
of pilot flow is needed because of the spool arrangement. Note 
in these figures the central land; the fact that it must transfer 
flow from the blocked EHV port to a cylinder line involves two 
switching lands on opposite sides of a spool member, and valve 
stroke must be at least two port diameters. On the other hand. 
Figure Dl2 requires shorter strokes ; 

Note that the center land no longer needs to move completely 
across the right cylinder port, but merely uncover it; the same 
is true with all other valving actions; so spool travel, and 
solenoid valve flow, is reduced. 



EHV 


EHV 



Pilot 

valve 


Figure Dl2. Engage Valve Configuration for Minimtam Pilot Flow 
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CALCULATION OF RELIABILITY VARIATION WITH 
SELF TEST EFFECTIVITY 


The following four configurations were considered in this 
analysis : 

1. Quadruple-channel digital system without backup. 

2. Triple-digital channel system with a dual analog 
backup . 

3. Dual-digital channel system with a triple-channel 
analog backup. 

4. Dual-digital channel system with a dual-rchannel 
analog backup. 

State diagrams were constructed for each of these configura- 
tions and the probability of total system failure was computed 
for each configuration using the computerized State Interpretive 
Program (SIP) . Two failure rates were assigned to each digital 

channel (10“^ failures per hour and 10“^ failures per hour) . The 

failure rate assigned to an analog backup channel was 4.5 x 10”^ 
which is judged realistic for a typical analog channel. For this 

analysis, the 10“^ to 10“^ failure per hour failure rate assigned 
to the digital channels includes both the sensor and computation 
function but does not include the actuation function. 

The state diagrams of the four configurations are shown in 
Figures El through E4. The transition failure rates on these 
state diagrams are as follows: 

Xp = Total failure rate for a digital channel 

X 1 = Failure rate for that part of a digital channel 
that will be detected via self test. 

Xjj2 = Failure rate for that part of a digital channel 
that will be detected via self test. 

X^ = Failure rate for an analog backup channel. 

A description of the use of state diagrams to solve conplex 
redxindancy problems is provided in ref. 20. 
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2Xd2 



Xd =Xdi+Xd2=IO'3tO IO'^(RANGE) 

Xft *4.5 X 10-^ 

Xd| = (0.90T0 I.O)xXp*FAILURE RATE OF DIGITAL CHANNEL FAILURE MODES 
DETECTED BY SELF TEST 

Xo2=<Xp-Xp|)=FAILURE RATE OF DIGITAL CHANNEL FAILURE MODES NOT 
DETECTED BY SELF TEST 

Fs *FAIL-SAFE 
Fc =FA1L-CRITICAL 

Figure El. Triple-Digital and Dual-Analog 
Backup State Diagram 


2Xd2 



Xd =Xdi +Xd2 = I0"3T0 I0-^{RANGE) 

Xa'^.BxIO-'* 

Xp|*(0.90 TO I.O)xXo=FAILURE RATE OF DIGITAL CHANNEL FAILURE MODES 
DETECTED BY SELF TEST 

Xo2=<X()-Xd|)=FAILURE RATE OF DIGITAL CHANNEL FAILURE MODES NOT 
DETECTED BY SELF TEST 
Fs =FAIL-SAFE 
Fc 'FAIL-CRITICAL 

Figure E2 . Dual-Digital and Triple-Analog 
Backup State Diagram 
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2Xq2 



X(j«XD,tXQ2«IO-3TO 10'^ (RANGE) 

Xa •4.5x10-^ 

Xoi*(0.90 TO I.O)xXo«FAILURE RATE OF DIGITAL CHANNEL FAILURE MODES 
DETECTED BY SELF TEST 

Xn^(Xn-Xn|)«FAILURE RATE OF DIGITAL CHANNEL FAILURE MODES NOT 
DETECTED BY SELF TEST 

Fs -FAIL-SAFE 
Fc -FAIL-CRITICAL 

Figure E3. Dual-Digital and Dual-Analog 
Backup State Diagram 



Xq -Xqi +Xd2-I0-3 to 10-^ (RAN60 
X^ -4.5x10-^ 

Xj)|»(0.90 TO I.O)xX[)-FAILURE RATE OF DIGITAL CHANNEL FAILURE MODES 
DETECTED BY SELF TEST 

Xd2*(Xo-Xd|)-FAILURE RATE OF DIGITAL CHANNEL FAILURE MOOES NOT 
DETECTED BY SELF TEST 

Fs -FAIL-SAFE 

Fc -FAIL-CRITICAL 


Figure E4. Quad System State Diagram 
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For each of the state diagrams, there are two total system 
fail states, Fs and Fc; 

Fs = "Fail safe" - the final system failure is detected, 
and the system turns off (fail obvious) . 

Fc = "Fail-critical" - the final system failure may not 
be detected and may not be fail obvious . 

Probability of total system failure (Fs + Fc) was computed 
for each configuration for the two failure rate ranges assigned 

to the digital channel (10~3 and 10“^ failures per hour) using 
the SIP computer program. Sample SIP program printouts are pro- 
vided in Figure E5. 

The Y column in the SIP printout provides the probability of 
being in a given state for the time listed. The (1-Y) value for 
two hours and "Siim 1" provides the probability of total system 
failure for a two-hour mission. Dividing this value by two 
yields probability of total system failure per’ hour based on a 
two-hour mission. 

The results of this analysis are provided in the plots shown 
in Figures 48 and 49 in Section 7, which show the probability of 
total system failure/per hour versus the self-test capability of 
the primary digital channel. 

Figure El plots are based on a 10“^ failure-per-hour digital 

channel and a 4.5 x 10”^ failure-per-hour analog backup channel. 
As shown in Figure El, both the triple-channel digital with dual- 
channel analog backup and a quadruple digital channel have prob- 
abilities of total system failure much less than the other two 
configurations. Both of these configurations' probability of 
total system failures can be decreased by a factor of close to 
100 by varying the self-test cap^ility from 90 to 99.9 percent. 
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fS FCS TRIP-DUFIL 

SUM 1 STATES ARE 1234 


TIME 


TATE 

0.500 


1 

0.500 


2 

0.500 


3 

0.500 


4 

0.500 . 


5 

0.500 


6 

0.500 

SUM 

1 

1. 000 


1 

1 . 000 


2 

1. 000 


3 

1. 000 


4 

1. 000 


5 

1. 000 


6 

1.000 

SUM 

1 

1.500 


1 

1.500 


2 

1.500 


3 

1.500 


4 

1.500 


5 

1.500 


6 

1.500 

SUM 

1 

2. 000 


1 

2. 000 


2 

2. 000 


•tj 

2.000 


4 

2. 000 


5 

2. 000 


6^ 

2.000 

suH 

"TT™" 


<Y> 

0.998501 12451 3D 00 
0. 14981261 1083D- 02 
0 . 674325265373D- 06 
0. 750274459444D-07 
0. 112415644379D-10 
0. 112530877438D-10 
0.999999999976D 00 
0.997004495655D 00 
0. 299250933997D-02 
0 . 26946 052772 OD- 05 
0.3002 19 192332D- 06 
0. 393650998666D-1 0 
0.90 0493454E24D- 1 0 
0.999999999S20D 00 
0.99551 01 10057D 00 
0. 44831 56794 15D- 02 
0 . 6 0568 0267353D- 05 
0 . 6757384666 04D- 06 
0 . 3 03 067373685D- 09 
0.303999473454D-09 
0 . 99999999939 ID 00 
0.994017964358D 00 
0. 597007556797D-02 
0. 1 07568884996D-04 
0. 120174731816D-05 
0. 717843495439D-09 
0.72 078735942 ID- 09 


a-Y> 

0. 1 4988754865 OD- 02 
0.998501873888D 00 
0 . 999999325673D 0 0 
0.999999924972D 00 
0 . 999999999987D 0 0 
0 . 999999999987D 0 0 
0 . 23646862246 1 D- 1 0 
0 . 29955 0434465D- 02 
0. 997007490660D 00 
0. 999997305395D 00 
0. 999999699779D 00 
0. 999999999909D 00 
0. 999999999909D 00 
0. 180079950951D-09 
0.448988994322D-02 
0.99551 68432 04D 00 
b . 999993943 1 96D 0 0 
0. 99999932426 OD 00 
0 . 999999999696D 0 0 
0. 999999999694D 00 
0.609361450188D-09 
0 . 5982 03564 1 86D- 02 
0.994029924432D 00 
0.99998924311 ID 00 
0. 999993798252D 00 
0 . 99999999928 ID 00 
0. 999999999278D 00 


Figure E5. 


CIP Computer Printouts 90% Self Test 
and Aq = 10”^ 
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PIECE PART AND COMPONENT FAILURE RATES 


A listing of standard Honeywell piece part failure rates 
applicable for FCS use is provided in Table Fl. 


COMPONENT FAILURE RATES 

The component failure rates used for calculating the candi- 
date configurations reliability and maintainability ratings are 
identified in this subsection. The source of the information 
and pertinent comments are also included, where possible. 


Sensors 

Rate Gyro . - Rate gyros contribute a major portion of the 
sensor failure rates . A common figure rate used over the past 

several years is 1 x 10”^ per hour. Current Honeywell experience 
is substantially better, however. 

A failure rate of 5.2%/1000 hours was assigned to the rate 
gyro. This is made up of 5.0%/1000 hours (based on Honeywell's 
experience using rate gyros on C-5A aircraft during the first 
3000 to 4000 hours of gyro life) for the basic gyro and 0.2%/l000 
hours for that part of the power supply required for rate gyro 
power. This rate is based upon time-limited operation of new 
devices and does not consider wearout effects. Thus, this fail- 
ure rate is considered valid only as long as the total gyro 
operating hours are less than approximately 4000 hours. However, 
even this rate is probably pessimistic for failure probability 
after the device has been run-up and been found satisfactory by 
preflight BIT. 

Accelerometer . - A failure rate of 3.2%/1000 hours was 
assigned to the accelerometer. This is made up of 3.0%/1000 
hours for the basic accelerometer and 0.2%/1000 hours for that 
part of the power supply required for accelerometer power. This 
failure rate is consistent with the failure rate experience on 
Honeywell's accelerometers on aircraft such as the C-5A. 
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TABLE FI. - PART FAILURE RATES 


Failure Rates in Percent/ 
1000 hours (1974) 

PART 


Application 


Commercial Military 

Aircraft Aircraft 


Part Grade 


Commercial MIL-STD 
(or Equiv. ) 


Accelerometer 

Capacitor, Fixed, Ceramic 

Capacitor, Fixed, Aluminum Electrolytic 

Capacitor, Fixed, Electrolytic-TA, FOIL 

Capacitor, Fixed, Electrolytic-TA, Solid 

Capacitor, Fixed, Electrolytic-TA, WET SLUG, Herm. Sealed 

Capacitor, Fixed, Glass Dielectric 

Capacitor, Fixed, Metallized Paper Dielectric 

Capacitor, Fixed, Mica Dielectric 

Capacitor, Fixed, Paper Dielectric 

Capacitor, Fixed, Plastic Dielectric, Herm. Sealed 
Connector Half, Plug or Receptacle, Electrical 
Plus, Per Active Pin or Socket 

Gear Train, Instrument Manually Operated, Per Mesh 
Gear Train, Instrument, Motor Driven, Per Mesh 
Gyroscope 

Integrated Circuit, Analog, Small Scale, Bipolar, Her 
Integrated Circuit, Digital, Small Scale, Bipolar, Her 
Integrated Circuit, MOS (SSI, MSI, LSI) and Bipolar (MSI/LSI) 
Integrated Circuit, (Analog, digital), all scales, plastic 

Lamp, Incandescent 
Meter Movement 
Meter, Time Totalizing 
Motor 

Printed Circuit Board 
Reactor 

Relay Armature-General Purpose, Per Coil 

Plus, Per Contact Pair, % per 1000 on/off Cycles 

Resistor, Fixed, Composition 

Resistor, Fixed, Film 

Resistor, Fixed, Wirewound 

Resistor, Thermal 

Resistor, Variable W.W., Trimmer Type 
Diode, Silicon Controlled Rectifier 
Diode, Silicon, GP, Switching 

Diode, Voltage Reference, Voltage Regulator, Zener* 

Diode, Rectifier, Power, rated > 1 watt 
Diode, Quad 
Diode , Photo 

Diode, Plastic Encapsulated 

Switch, Rotary (%/1000 Cycles/Contact Pair) 

Switch, Sensitive (%/1000 Cycles/Contact Pair) 

Switch, Thermostatic (%/1000 Cycles/Contact Pair) 

Switch, Toggle (%/1000 Cycles /Contact Pair) 

Synchro, Control Transformer 
Transformer, One Watt or more 
Transformer, Less Than One Watt 
Transistor, Field Effect 
Transistor, Silicon, Dual 
Transistor, Silicon, General Purpose 
Transistor, Silicon, Power, rated > 1 watt 


(See paragraph 3.3! 

0.005 

0.003 

0.045 

0.03 

0.008 

0.005 

0.014 

0.009 

0.065 

0.043 

0.003 

0.002 

0.021 

0.014 

0.005 

0.003 

0.015 

0.01 

0 .03 

0.02 

0.015 

0.01 

0.003 

0.002 

0 .033 

0.033 

0.1 

0.1 

(See Paragraph 3.3) 

0.15 

0.1 

0.015 

0.01 

(See Paragraph 3.6) 

Special Case - 

Consult 

Central Rel 

0.16 

0.16 

0.48 

0.32 

0.288 

0.192 

1.5 

1.0 

(See Paragraph 3.4) 

0.02 

0.013 

0.174 

0.116 

0.039 

0.026 

0.002 

0.001 

0.008 

0.005 

0 .015 

0.10 

0.009 

0.006 

0.15 

0.1 

0.23 

0.154 

0.014 

0.009 

0.024 

0.016 

0 .074 

0.049 

0.033 

0.022 

0.27 

0.18 

Special Case - 

Consult 

Central Rel 

0.175 

0.117 

0.149 

0.099 

0.327 

0.218 

0.28 

0.187 

0.38 

0.25 

0.218 

0.145 

0.126 

0.084 

0.022 

0.015 

0.11 

0.078 

0.02 

0.013 

0.106 

0.071 


* If rated > 1 watt, use power diode failure rate. 
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Stick and rudder pedals . - The stick and rudder pedals con- 
tain three transducers (three-axis) with a failure rate of 0.263%/ 
1000 hour each, or a total of approximately 0.8%/1000 hours, for 
each channel. A failure rate of 1.0%/1000 hours was assigned to 
the single-channel, three-axis stick and rudder pedal function. 
This includes 0.2%/1000 hours for that part of the power supply 
required for the transducers. 


Digital Signal Transmission and Processing Components 

Interface Unit (I.U.) . - A failure rate of 15.86%/1000 hours 
was assigned to the I.U. The I.U. contains all of the Input/Out- 
put processing and I/O control circuitry for CPU operation without 
data bus. A breakdown of the I.U. failure rate by subfunction is 
as follows; 


o 

Multiplexer 

- 0.83%/1000 

hours 

o 

D-C multiplexer 

- 0.83%/1000 

hours 

o 

I/O control 

- 0.65%/1000 

hours 

o 

A/D converter 

- 1.50%/1000 

hours 

o 

Analog output 

- 2.90%/1000 

hours 

o 

Discrete output 

- 0.85%/1000 

hours 

o 

Discrete input 

- 1.00%/1000 

hours 

o 

Power supply 

- 3.60%/1000 

hours 

o 

Demodulator 

- 3.60%/1000 

hours 


TOTAL 

- 15.86%/1000 

hours 


These function failure rates are based on standard Honeywell 
circuits and failure rates. 

AP-101 Computer and Memory . - Based on inputs from IBM the 
predicted failure rates for the AP-101 as a function of memory 
size are as follows: 

16K Memory - 18.2%/1000 hours 

24K Memory - 23.5%/1000 hours 

32K Memory - 29 %/1000 hours 
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Data bus . ~ A failure rate of 0.05%/1000 hours was assigned 
the data bus which is judged conservative based on standard 
Honeywell failure rates. 

Bus Control Unit (ECU) . - The BUG is made of about 200 DIPS 
with the following approximate breakdown with complexity; 


o 

20% SSI 



o 

50% MSI 

* 


o 

30% LSI 



failure 

rate prediction was made as follows; 


o 

40 X 0.010%/1000 hours 

= 0.40%/1000 

hours 

o 

MSI - 100 X 0.025%/1000 hours 

= 2.40%/1000 

hours 

o 

LSI - 60 X 0.060%/1000 hours 

= 3.60%/1000 

hours 

o 

Connectors and solder joints 

= 1.35%/1000 

hours 

o 

Resistors and Capacitors 

= 0.25%/1000 

hours 


Total 

= 8.00%/1000 

hours 


MTBF 

=12 500 hours 


Multiplexer Demultiplexer (MDM) . - The MDM is made up of 
about eight PC boards (six logic and two power supply) with 180 
DIPS having the following complexity breakdown: 

o 60% MSI 

o 30% SSI 

o 10% linear 

A failure rate prediction was made as follows; 


o 

MSI - 108 

X 0.024%/1000 hours 

= 2.592%/1000 

hours 

o 

SSI - 54 

X 0.010%/1000 hours 

= 0.540%/1000 

hours 

o 

Linear - 

18 X 0.05%/1000 hours 

II 

o 

• 

O 

O 

!-■ 

O 

O 

O 

hours 
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o Connectors and solder joints 
o Power supplies (2) 

Total X 

MTBF 


= 1.968%/1000 hours 
= 4.000%/1000 hours 
= 10.000%/1000 hours 
= 10 000 hours 


Each MDM is made up of two identical redundant channels 
which both interface with three plug-in card sub-system interface 
boards (SSIBs) . A failure rate of 5.0%/1000 hovirs was assigned 
to each channel of the MDM which does not include the three SSIBs. 

Sub-system Interface Board (SSIB) . - Three standard SSIBs 
were considered. The first type SSIB will accept a-c- inputs 
from sensors and will demodulate and multiplex for the two MDM 
channels. A failure rate of 0.5%/1000 hours was assigned to 
these cards based on typical demod/multiplex circuitry and 
Honeywell standard failure rates. 

The second type SSIB will accept and transmit discrete sig- 
nals and sensor power signals to and from the two MDM channels . 

A failure rate of 0.3%/1000 hours was assigned to these cards 
based on typical discrete input/output multiplex circuitry and 
standard Honeywell piecepart failure rates. 

The third type SSIB will contain the necessary interface 
circuitry for the actuators. This will include power inputs for 
servo amplifiers, sample hold signal inputs for servo amplifiers, 
and AP feedback signal processing circuitry. A failure rate of 
0.5%/1000 hours was assigned to these cards based on the expected 
circuitry required and standard Honeywell failure rates. 


Actuators and Servo Loop Components 

Servo amplifier . - A failure rate of 0.38%/1000 hours was 
assigned to each servo amplifier. This was established using a 
typical servo amplifier design and standard Honeywell failure 
rates . 

Secondary actuator . - A failure rate of 2.08%/1000 hours was 
used for each channel of the secondary actuator, including 
electrohydraulic servo valves. 
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Primary or power actuator . - A failure rate of 1.54%/1000 
hours was used for each primary actuator cylinder. At least one 
of the two power actuator cylinders are required for successful 
operation. On the basis of a 2-hour mission, the equivalent 

failure rate for a 1 of 2 scheme is approximately 0.047 x 10“®. 

Servo position feedback circuitry . - A failvure rate of 0.5%/ 
1000 hours was assigned based on Honeywell's failure rates and 
expected parts count. 

Power supply requirements . - A failure rate of 1.5%/1000 
hours was assigned to that part of the power supply required for 
the servo amplifier and servo position feedback circuitry. 


Control Panel 

A failure rate of 1.76%/1000 hours was assigned to the total 
control panel. This failure rate is based on C-5A experience. 

A failure rate of 0.8%/1000 hours was assigned to each of the 
three channels which includes 0.2%/1000 hours for that part of 
the power supply required for control panel power. 
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